Refactor file serialization logic in import and export APIs

[RovinKYK]

Purpose

Eliminates code duplication across 4 entity modules (Applications, Identity Providers, User Stores, Claims) where each implements nearly identical file serialization/deserialization logic for XML/JSON/YAML formats, creating maintenance burden and inconsistency.

Related to https://github.com/wso2-enterprise/iam-product-management/issues/662

Goals

Introduce a centralized file serialization utility framework that consolidates duplicated code while preserving entity-specific customizations and maintaining backward compatibility with existing import/export functionality.

Approach

Created FileSerializationUtil as the single source of truth for all serialization/deserialization operations with the following architecture:

• Centralized Logic: All XML (JAXB), JSON (Jackson), and YAML (SnakeYAML) serialization logic moved to FileSerializationUtil in the common module.
• Separate Configurations: Introduced XmlConfig, JsonConfig, and YamlConfig classes to isolate format-specific settings.
• Hook-Based Customization: Functional interface hooks (Consumers for customizations, Functions for factories) allow entities to inject custom behavior without modifying core logic.
• Unified Error Handling: FileSerializationException provides consistent error context (fileName, mediaType, operation) across all formats.

Entity services now construct configuration objects and delegate to the utility, removing implementation in service sides while preserving exact output formats.

For detailed architecture and migration details please refer:
https://docs.google.com/document/d/1A8gC1wPyTrMIxChN5oBbADigKl9O7zTaGBJ5cBHOQ84/edit?usp=sharing

User stories

Summary of user stories addressed by this change>

Developer Checklist (Mandatory)

• Complete the Developer Checklist in the related product-is issue to track any behavioral change or migration impact.

Release note

Brief description of the new feature or bug fix as it will appear in the release notes

Documentation

Link(s) to product documentation that addresses the changes of this PR. If no doc impact, enter “N/A” plus brief explanation of why there’s no doc impact

Training

Link to the PR for changes to the training content in https://github.com/wso2/WSO2-Training, if applicable

Certification

Type “Sent” when you have provided new/updated certification questions, plus four answers for each question (correct answer highlighted in bold), based on this change. Certification questions/answers should be sent to certification@wso2.com and NOT pasted in this PR. If there is no impact on certification exams, type “N/A” and explain why.

Marketing

Link to drafts of marketing content that will describe and promote this feature, including product page changes, technical articles, blog posts, videos, etc., if applicable

Automation tests

• Unit tests

  Code coverage information

• Integration tests

  Details about the test cases and coverage

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines? yes/no
• Ran FindSecurityBugs plugin and verified report? yes/no
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets? yes/no

Samples

Provide high-level details about the samples related to this feature

Related PRs

List any other related PRs

Migrations (if applicable)

Describe migration steps and platforms on which migration has been tested

Test environment

List all JDK versions, operating systems, databases, and browser/versions on which this feature/fix was tested

Learning

Describe the research phase and any blog posts, patterns, libraries, or add-ons you used to solve the problem.

Summary by CodeRabbit

• New Features

  • Unified import/export across XML/JSON/YAML via a configurable serialization utility and new configuration objects.
  • Safer YAML handling with trusted-class support and customizable dumping options.

• Refactor

  • Centralized serialization/deserialization workflow for consistent import/export behavior.
  • Internal package adjustments to consolidate shared file-handling utilities.

• Bug Fixes

  • Clearer, centralized file (de)serialization error reporting and consistent error mapping.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Centralized XML/JSON/YAML (de)serialization by adding FileSerializationUtil, FileSerializationConfig (XmlConfig/JsonConfig/YamlConfig), and FileSerializationException; moved FileContent to a new package and refactored multiple service modules to use the unified API instead of ad‑hoc per‑format logic.

Changes

Cohort / File(s)	Summary
New serialization framework components/org.wso2.carbon.identity.api.server.common/src/main/java/org/wso2/carbon/identity/api/server/common/file/FileSerializationUtil.java, .../FileSerializationConfig.java, .../FileSerializationException.java, .../XmlConfig.java, .../JsonConfig.java, .../YamlConfig.java	Added centralized serialize/deserialize utility and configuration types for XML (JAXB), JSON (Jackson), and YAML (SnakeYAML). Introduced per-format config hooks (marshaller customizer, subtype lists, YAML customizers/trusted classes) and unified FileSerializationException.
FileContent package move components/org.wso2.carbon.identity.api.server.common/src/main/java/org/wso2/carbon/identity/api/server/common/file/FileContent.java	Changed package of FileContent to org.wso2.carbon.identity.api.server.common.file.
Service import updates components/.../claim.management/.../impl/ClaimManagementApiServiceImpl.java, components/.../idp/.../impl/IdentityProvidersApiServiceImpl.java, components/.../userstore/.../impl/UserstoresApiServiceImpl.java	Updated imports to the relocated FileContent type; no public API signature changes.
Application management components/org.wso2.carbon.identity.api.server.application.management/.../core/ServerApplicationManagementService.java	Replaced manual JAXB/YAML/JSON parsing with FileSerializationUtil + FileSerializationConfig; consolidated inbound protocol handling and unified error mapping to FileSerializationException.
Claim management components/org.wso2.carbon.identity.api.server.claim.management/.../core/ServerClaimManagementService.java	Replaced manual XML/JSON/YAML parsing/serialization with FileSerializationUtil; added YamlConfig settings (BLOCK style, trusted classes) and map parsing errors to FileSerializationException → ClaimMetadataException.
Identity provider management components/org.wso2.carbon.identity.api.server.idp/.../core/ServerIdpManagementService.java	Replaced format-specific (de)serialization with FileSerializationUtil flows; removed per-format parsing helpers and adjusted exception handling to use FileSerializationException.
User store management components/org.wso2.carbon.identity.api.server.userstore/.../core/ServerUserStoreService.java	Delegated file generation/parsing to FileSerializationUtil; removed per-format parser methods and direct JAXB/Jackson/YAML imports; mapped FileSerializationException to service exceptions.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Service as ServerService
    participant Serializer as FileSerializationUtil
    participant ParserLib as "JAXB / Jackson / SnakeYAML"

    Client->>Service: request export or upload (file/model)
    Service->>Serializer: serialize(entity, fileName, fileType, config) / deserialize(fileContent, targetClass, config)
    Serializer->>ParserLib: invoke per-format marshal/unmarshal
    ParserLib-->>Serializer: bytes or object
    Serializer-->>Service: FileContent or model
    Service-->>Client: TransferResource or result

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

🐰 I nibbled bytes of YAML, JSON, XML stew,
Built one neat burrow so formats hop through.
Configs in my pocket, exceptions in sight,
I hop, I hum — serialization sleeps tight,
Carrots of code glowing soft and bright. 🥕

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The description addresses Purpose, Goals, and Approach sections thoroughly with architecture details and reference documentation. However, several required sections (Developer Checklist, Release note, Documentation, Training, Certification, Marketing, Automation tests, Security checks, Samples, Related PRs, Migrations, Test environment, Learning) remain unfilled with placeholder text.	Complete the unfilled template sections: provide concrete details for Developer Checklist status, release notes, documentation links, test coverage information, security verification checkmarks, migration procedures if applicable, and test environment details.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: refactoring file serialization logic across import and export APIs, which aligns with the core objective of consolidating duplicated serialization/deserialization code.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wso2-engineering]

AI Agent Log Improvement Checklist

⚠️ Warning: AI-Generated Review Comments

• The log-related comments and suggestions in this review were generated by an AI tool to assist with identifying potential improvements. Purpose of reviewing the code for log improvements is to improve the troubleshooting capabilities of our products.
• Please make sure to manually review and validate all suggestions before applying any changes. Not every code suggestion would make sense or add value to our purpose. Therefore, you have the freedom to decide which of the suggestions are helpful.

✅ Before merging this pull request:

• Review all AI-generated comments for accuracy and relevance.
• Complete and verify the table below. We need your feedback to measure the accuracy of these suggestions and the value they add. If you are rejecting a certain code suggestion, please mention the reason briefly in the suggestion for us to capture it.

Comment	Accepted (Y/N)	Reason
#### Log Improvement Suggestion No: 2
#### Log Improvement Suggestion No: 5
#### Log Improvement Suggestion No: 6
#### Log Improvement Suggestion No: 7
#### Log Improvement Suggestion No: 9

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In
`@components/org.wso2.carbon.identity.api.server.application.management/org.wso2.carbon.identity.api.server.application.management.v1/src/main/java/org/wso2/carbon/identity/api/server/application/management/v1/core/ServerApplicationManagementService.java`:
- Around line 626-633: The loop creates a new SnakeYAML TypeDescription for
InboundConfigurationProtocol on each iteration causing earlier protocol mappings
to be overwritten; instead, build a single TypeDescription for
InboundConfigurationProtocol, call description.addPropertyParameters("type",
protocol) for each protocol in INBOUND_CONFIG_PROTOCOLS, then call
constructor.addTypeDescription(description) once (keep references to YamlConfig,
INBOUND_CONFIG_PROTOCOLS, TypeDescription, InboundConfigurationProtocol, and
constructor.addTypeDescription to locate the code).

In
`@components/org.wso2.carbon.identity.api.server.claim.management/org.wso2.carbon.identity.rest.api.server.claim.management.v1/src/main/java/org/wso2/carbon/identity/rest/api/server/claim/management/v1/core/ServerClaimManagementService.java`:
- Around line 751-763: Add explicit allow-list validation for the requested
media type: in exportClaimDialectToFile, check fileType against the supported
media types used by FileSerializationUtil.serialize (reject unsupported values
rather than relying on its fallback to YAML) and throw a ClaimMetadataException
(using the existing error patterns) when the type is not allowed; alternatively,
modify FileSerializationUtil.serialize to detect unsupported media types and
throw FileSerializationException instead of defaulting to YAML so callers like
exportClaimDialectToFile receive a failure and can return an error to the
client.

In
`@components/org.wso2.carbon.identity.api.server.common/src/main/java/org/wso2/carbon/identity/api/server/common/file/FileSerializationUtil.java`:
- Around line 281-296: The deserializeFromYaml method currently builds a
Constructor and Yaml without applying the configured constructorCustomizer from
FileSerializationConfig/YamlConfig, so custom type loaders/type descriptions are
ignored; update deserializeFromYaml to retrieve the constructorCustomizer (same
way serializeToYaml does), and if present invoke it to customize the Constructor
instance (the one created as new Constructor(targetClass, loaderOptions)) before
creating the Yaml and calling yaml.loadAs; ensure you reference the existing
symbols (deserializeFromYaml, FileSerializationConfig.getYamlConfig(),
constructorCustomizer, Constructor, loaderOptions, yaml.loadAs) so the
customization is applied consistently with serializeToYaml.

🧹 Nitpick comments (2)

components/org.wso2.carbon.identity.api.server.common/src/main/java/org/wso2/carbon/identity/api/server/common/file/JsonConfig.java (1)

35-37: Inconsistent defensive copying in setter.

getSubtypes() defensively clones the array, but setSubtypes() stores the reference directly. If the caller modifies the passed array after calling the setter, the internal state will change unexpectedly.

♻️ Suggested fix

     public void setSubtypes(Class<?>... classes) {
-        this.subtypes = classes;
+        this.subtypes = classes != null ? classes.clone() : new Class<?>[0];
     }

components/org.wso2.carbon.identity.api.server.common/src/main/java/org/wso2/carbon/identity/api/server/common/file/XmlConfig.java (1)

40-42: Inconsistent defensive copying in setter.

Same issue as in JsonConfig: getAdditionalJaxbClasses() defensively clones the array, but setAdditionalJaxbClasses() stores the reference directly.

♻️ Suggested fix

     public void setAdditionalJaxbClasses(Class<?>... classes) {
-        this.additionalJaxbClasses = classes;
+        this.additionalJaxbClasses = classes != null ? classes.clone() : new Class<?>[0];
     }

[Copilot]

Pull request overview

This PR refactors file serialization logic used in import and export APIs by extracting common serialization/deserialization code into reusable utility classes. The refactoring consolidates duplicate XML, JSON, and YAML parsing logic that was previously scattered across multiple service classes.

Changes:

• Moved FileContent class to a new file subpackage and created centralized serialization utilities
• Introduced FileSerializationUtil with pluggable configuration for XML, JSON, and YAML formats
• Replaced implementation-specific serialization code in UserStore, IDP, Claims, and Application management services with calls to the new utility

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
FileContent.java	Moved from root common package to file subpackage
FileSerializationUtil.java	New centralized utility for serializing/deserializing objects to XML/JSON/YAML
FileSerializationException.java	New exception class for serialization errors with operation context
FileSerializationConfig.java	New configuration holder for format-specific settings
YamlConfig.java, XmlConfig.java, JsonConfig.java	New format-specific configuration classes
ServerUserStoreService.java	Refactored to use new serialization utility, removed duplicate parsing methods
ServerIdpManagementService.java	Refactored to use new serialization utility with custom YAML configuration for property exclusion
ServerClaimManagementService.java	Refactored to use new serialization utility with custom YAML dumper options
ServerApplicationManagementService.java	Refactored to use new serialization utility with configuration for all formats
UserstoresApiServiceImpl.java, IdentityProvidersApiServiceImpl.java, ClaimManagementApiServiceImpl.java	Updated imports for relocated FileContent class

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In
`@components/org.wso2.carbon.identity.api.server.common/src/main/java/org/wso2/carbon/identity/api/server/common/file/FileSerializationUtil.java`:
- Around line 64-83: The serialize method leaves the config null-check empty
causing NPEs when calling config.getXmlConfig()/getJsonConfig()/getYamlConfig();
fix by initializing a default FileSerializationConfig when config is null (e.g.,
if (config == null) { config = new FileSerializationConfig(); }) before
computing mediaType and calling serializeToXml/serializeToJson/serializeToYaml;
keep the rest of the switch and handleUnsupportedSerialize(...) logic unchanged.

♻️ Duplicate comments (1)

components/org.wso2.carbon.identity.api.server.common/src/main/java/org/wso2/carbon/identity/api/server/common/file/FileSerializationUtil.java (1)

348-368: Apply YamlConfig.constructorCustomizer during YAML deserialization.

serializeToYaml applies the constructor customizer, but deserializeFromYaml ignores it, so custom loaders/type descriptions won’t be honored.

🛠️ Proposed fix

-            Constructor constructor = new Constructor(targetClass, loaderOptions);
+            Constructor constructor = new Constructor(targetClass, loaderOptions);
+            if (config.getYamlConfig().getConstructorCustomizer() != null) {
+                config.getYamlConfig().getConstructorCustomizer().accept(constructor);
+            }
             Yaml yaml = new Yaml(constructor);

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In
`@components/org.wso2.carbon.identity.api.server.common/src/main/java/org/wso2/carbon/identity/api/server/common/file/FileSerializationUtil.java`:
- Around line 304-323: The deserializeFromXml method in FileSerializationUtil
currently calls unmarshaller.unmarshal on a StringReader which leaves XML
parsing vulnerable to XXE; fix it by creating a secure StAX XMLInputFactory
(disable DTDs and external entity resolution via IS_SUPPORTING_EXTERNAL_ENTITIES
and SUPPORT_DTD or equivalent parser properties, and set a safe XMLResolver/null
resolver), build an XMLStreamReader from the fileContent string, and pass that
XMLStreamReader to Unmarshaller.unmarshal instead of the StringReader; keep the
JAXBContext/Unmarshaller usage (JAXBContext.newInstance, unmarshaller) and
ensure exceptions are still wrapped in FileSerializationException.

♻️ Duplicate comments (1)

components/org.wso2.carbon.identity.api.server.common/src/main/java/org/wso2/carbon/identity/api/server/common/file/FileSerializationUtil.java (1)

349-369: Apply constructorCustomizer during YAML deserialization.

deserializeFromYaml builds a Constructor but never applies YamlConfig#getConstructorCustomizer(), so any custom loaders/type descriptions are ignored. This diverges from serializeToYaml and will surprise callers.

🛠️ Proposed fix

             Constructor constructor = new Constructor(targetClass, loaderOptions);
+            if (config.getYamlConfig().getConstructorCustomizer() != null) {
+                config.getYamlConfig().getConstructorCustomizer().accept(constructor);
+            }
             Yaml yaml = new Yaml(constructor);

SnakeYAML Constructor customizer apply to loadAs deserialization

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In
`@components/org.wso2.carbon.identity.api.server.common/src/main/java/org/wso2/carbon/identity/api/server/common/file/FileSerializationConfig.java`:
- Around line 84-95: In FileSerializationConfig, add null guards in the setters
setSerializeDefault(DefaultFormat serializeDefault) and
setDeserializeDefault(DefaultFormat deserializeDefault) so they reject null
inputs consistently with the other config checks: validate the parameter is not
null and throw an IllegalArgumentException (with a clear message like
"serializeDefault cannot be null" / "deserializeDefault cannot be null") if it
is, otherwise assign to this.serializeDefault / this.deserializeDefault; this
prevents NPEs later when branching on media type.

In
`@components/org.wso2.carbon.identity.api.server.common/src/main/java/org/wso2/carbon/identity/api/server/common/file/FileSerializationUtil.java`:
- Around line 346-351: The deserialization path in FileSerializationUtil
registers subtypes without null-safety; update the code that creates
ObjectMapper (in FileSerializationUtil) to guard calls to
config.getJsonConfig().getSubtypes() — first ensure config.getJsonConfig() and
its getSubtypes() return non-null (or default to an empty array) before checking
length or calling objectMapper.registerSubtypes(...); this mirrors the
serialization-side fix and prevents a potential NPE when getSubtypes() is null.

🧹 Nitpick comments (2)

components/org.wso2.carbon.identity.api.server.common/src/main/java/org/wso2/carbon/identity/api/server/common/file/FileSerializationException.java (1)

27-67: Well-structured exception with useful context fields.

The exception design provides good debugging context with operation type, file name, and media type. Consider adding a serialVersionUID since Exception implements Serializable.

♻️ Optional: Add serialVersionUID

 public class FileSerializationException extends Exception {
 
+    private static final long serialVersionUID = 1L;
+
     private final String fileName;

components/org.wso2.carbon.identity.api.server.common/src/main/java/org/wso2/carbon/identity/api/server/common/file/FileSerializationUtil.java (1)

224-225: Consider simplifying string concatenation.

StringBuilder is unnecessary for simple single concatenation operations. Modern Java compilers optimize + concatenation efficiently.

♻️ Simplified approach (applies to all three locations)

-        StringBuilder fileNameBuilder = new StringBuilder(fileName);
-        fileNameBuilder.append(Constants.XML_FILE_EXTENSION);
+        String fullFileName = fileName + Constants.XML_FILE_EXTENSION;
         ...
-        return new FileContent(fileNameBuilder.toString(), Constants.MEDIA_TYPE_XML,
+        return new FileContent(fullFileName, Constants.MEDIA_TYPE_XML,

Same pattern applies to JSON (lines 257-258) and YAML (lines 280-281) methods.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In
`@components/org.wso2.carbon.identity.api.server.common/src/main/java/org/wso2/carbon/identity/api/server/common/file/YamlConfig.java`:
- Around line 84-88: The setAdditionalTrustedClasses method currently iterates
over the varargs and will NPE if callers pass null; update
setAdditionalTrustedClasses to treat a null classes argument as "clear the list"
by assigning additionalTrustedClassNames = new ArrayList<>() and returning early
when classes == null, otherwise populate additionalTrustedClassNames from
classes (use clazz.getName()) as it currently does; reference the method name
setAdditionalTrustedClasses and the field additionalTrustedClassNames when
making the change.

♻️ Duplicate comments (2)

components/org.wso2.carbon.identity.api.server.common/src/main/java/org/wso2/carbon/identity/api/server/common/file/FileSerializationUtil.java (1)

317-333: XML deserialization remains vulnerable to XXE if untrusted input is possible.

Unmarshaller.unmarshal(new StringReader(...)) depends on parser defaults; those are not consistently safe across JAXB implementations. Consider a hardened StAX reader (or a feature-flagged secure mode) to mitigate XXE/SSRF risks.

🔒 Hardened parsing example (opt-in or guarded)

             JAXBContext jaxbContext = JAXBContext.newInstance(classes);
             Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();

-            `@SuppressWarnings`("unchecked")
-            T result = (T) unmarshaller.unmarshal(new StringReader(fileContent.getContent()));
-            return result;
-        } catch (JAXBException e) {
+            javax.xml.stream.XMLInputFactory xif = javax.xml.stream.XMLInputFactory.newFactory();
+            xif.setProperty(javax.xml.stream.XMLInputFactory.SUPPORT_DTD, false);
+            xif.setProperty(javax.xml.stream.XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+            javax.xml.stream.XMLStreamReader xsr =
+                    xif.createXMLStreamReader(new StringReader(fileContent.getContent()));
+            `@SuppressWarnings`("unchecked")
+            T result = (T) unmarshaller.unmarshal(xsr, targetClass).getValue();
+            return result;
+        } catch (JAXBException | javax.xml.stream.XMLStreamException e) {
             throw new FileSerializationException("Failed to deserialize from XML", e,
                     fileContent.getFileName(), Constants.MEDIA_TYPE_XML,
                     FileSerializationException.Operation.DESERIALIZE);
         }

components/org.wso2.carbon.identity.api.server.common/src/main/java/org/wso2/carbon/identity/api/server/common/file/FileSerializationConfig.java (1)

84-95: Reject null defaults to avoid NPEs in format switching.

If a caller sets either default to null, the switch in handleUnsupported* will NPE.

✅ Suggested guard

     public void setSerializeDefault(DefaultFormat serializeDefault) {

-        this.serializeDefault = serializeDefault;
+        if (serializeDefault == null) {
+            throw new IllegalArgumentException("serializeDefault cannot be null");
+        }
+        this.serializeDefault = serializeDefault;
     }

     public void setDeserializeDefault(DefaultFormat deserializeDefault) {

-        this.deserializeDefault = deserializeDefault;
+        if (deserializeDefault == null) {
+            throw new IllegalArgumentException("deserializeDefault cannot be null");
+        }
+        this.deserializeDefault = deserializeDefault;
     }

🧹 Nitpick comments (1)

components/org.wso2.carbon.identity.api.server.common/src/main/java/org/wso2/carbon/identity/api/server/common/file/JsonConfig.java (1)

35-37: Defensively copy classes in setSubtypes to avoid external mutation.

Right now the caller can mutate the varargs array after the setter call. Cloning keeps the config immutable from outside.

♻️ Suggested change

     public void setSubtypes(Class<?>... classes) {

-        this.subtypes = classes;
+        this.subtypes = classes != null ? classes.clone() : new Class<?>[0];
     }

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In
`@components/org.wso2.carbon.identity.api.server.common/src/main/java/org/wso2/carbon/identity/api/server/common/file/YamlConfig.java`:
- Around line 84-91: The setAdditionalTrustedClasses method currently assumes
all entries in the varargs are non-null and calls clazz.getName(), which will
throw a NullPointerException for null elements; update
setAdditionalTrustedClasses in YamlConfig to skip null entries (or validate and
throw a clearer IllegalArgumentException) by checking each clazz for null before
calling getName() and only adding non-null clazz.getName() to
additionalTrustedClassNames; ensure additionalTrustedClassNames is still
initialized to an empty list when classes is null or contains only nulls.