Skip to content

Instantly share code, notes, and snippets.

Last active October 20, 2019 13:17
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
An example of a whitelist implemented with Jackson 2.10. Full code can be found at
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.json.JsonMapper;
import com.fasterxml.jackson.databind.jsontype.BasicPolymorphicTypeValidator;
import com.fasterxml.jackson.databind.jsontype.PolymorphicTypeValidator;
public class SaferPersonDeserialization {
private static final String bad =
+ "\"age\":101,"
+ "\"phone\":{"
+ " \"@class\":\"com.popular.lib.Exec\","
+ " \"command\":\"calc\""
+ "}}";
public static void main(String[] args) throws Exception {
PolymorphicTypeValidator ptv =
ObjectMapper mapper = JsonMapper.builder()
try {
mapper.readValue(bad, Person.class);
} catch (Exception e) {
System.out.println("Deserialization failed: " + e);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment