Jackon 3: `@JsonSubTypes` does not affect validity checks

[sdeleuze]

Search before asking

• I searched in the issues and found nothing similar.

Describe the bug

Please find below a reproducer for a use case we have for Spring Security Jackson 3 support, where we would like to disable global default typing (for better security) and just rely on @JsonTypeInfo + @JsonSubTypes for polymorphic deserialization, and that seems not possible.

Despite the fact we register a strict set of sub types via @JsonSubTypes to deserialize Object principal, Jackson 3 requires a custom PolymorphicTypeValidator, which we would like to avoid because we try to remove mandatory mapper configuration.

Could DefaultBaseTypeLimitingValidator relax its checks in that case and take in account @JsonSubTypes configured in the mixins?

Version Information

3.0.0-rc10

Reproduction

import com.fasterxml.jackson.annotation.JsonSubTypes;
import com.fasterxml.jackson.annotation.JsonTypeInfo;
import org.junit.jupiter.api.Test;
import tools.jackson.databind.json.JsonMapper;

import static org.assertj.core.api.Assertions.assertThat;

public class JacksonPTVTests {

	@Test
	void stringPrincipal() {
		JsonMapper mapper = new JsonMapper();
		String json = mapper.writeValueAsString(new User("bob"));
		User user = mapper.readValue(json, User.class);
		assertThat(user.principal()).isEqualTo("bob");
	}

	@Test
	void customPrincipal() {
		JsonMapper mapper = new JsonMapper();
		String json = mapper.writeValueAsString(new User(new CustomPrincipal("bob")));
		User user = mapper.readValue(json, User.class);
		assertThat(user.principal()).isInstanceOf(CustomPrincipal.class);
	}

	@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
	record User(
			@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
			@JsonSubTypes({ @JsonSubTypes.Type(CustomPrincipal.class)})
			Object principal) {
	}

	record CustomPrincipal(String login) {
	}
}

Generates the following error

Configured `PolymorphicTypeValidator` (of type `tools.jackson.databind.jsontype.DefaultBaseTypeLimitingValidator`) denies resolution of all subtypes of base type `java.lang.Object` as using too generic base type can open a security hole without checks on subtype: please configure a custom `PolymorphicTypeValidator` for this use case

Expected behavior

@JsonSubTypes({ @JsonSubTypes.Type(CustomPrincipal.class)}) is enough to make the Object principal deserialization safe and authorized by default.

Additional context

No response

[cowtowncoder]

Quick note: correct, PolymorphicTypeValidator does not use @JsonSubTypes information for anything: @JsonSubTypes only helps find Type names used with @JsonTypeInfo(use = JsonTypeInfo.Id.NAME) usage.
(wherein Id.CLASS_NAME does not need such help).

The idea of tying validity (optionally) to indicated subtypes is reasonable but such connection does not yet exist.

We can think of ways to make that happen: f.ex with an addition of a new property in @JsonTypeInfo, but probably would also require additional plumbing to make PolymorphicTypeValidator able to access registered subtypes.
(that interaction may be the challenging part).