[Bug] BearerTokenAuthentication is not in the allowlist #15123

wzkris · 2025-02-11T02:14:34Z

Pre-check

I am sure that all the content I provide is in English.

Search before asking

I had searched in the issues and found no similar issues.

Apache Dubbo Component

Java SDK (apache/dubbo)

Dubbo Version

JDK17
dubbo-spring-boot-starter V3.3.3
spring-security-oauth2-authorization-server V1.3.4

Steps to reproduce this issue

I found that using spring-authorization-server Authentication can't be deserialize.
Not only BearerTokenAuthentication , more like OAuth2ClientAuthenticationToken RegisteredClient ClientAuthenticationMethod alse can't be deserialize

2025-02-11 09:58:44 [DubboServerHandler-172.20.224.1:20881-thread-9]  WARN  org.apache.dubbo.spring.security.jackson.ObjectMapperCodec
 -  [DUBBO] , dubbo version: 3.3.3, current host: 172.20.224.1, error code: 0-23. This may be caused by objectMapper! deserialize error, you can try to customize the ObjectMapperCodecCustomer., go to https://dubbo.apache.org/faq/0/23 to find instructions. 
java.lang.IllegalArgumentException: The class with org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication and name of org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details
	at org.springframework.security.jackson2.SecurityJackson2Modules$AllowlistTypeIdResolver.typeFromId(SecurityJackson2Modules.java:292)
	at com.fasterxml.jackson.databind.jsontype.impl.TypeDeserializerBase._findDeserializer(TypeDeserializerBase.java:159)
	at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:151)
	at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:136)
	at com.fasterxml.jackson.databind.deser.AbstractDeserializer.deserializeWithType(AbstractDeserializer.java:263)
	at com.fasterxml.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:74)
	at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:342)
	at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4905)
	at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3909)
	at org.apache.dubbo.spring.security.jackson.ObjectMapperCodec.deserialize(ObjectMapperCodec.java:50)
	at org.apache.dubbo.spring.security.jackson.ObjectMapperCodec.deserialize(ObjectMapperCodec.java:67)
	at org.apache.dubbo.spring.security.filter.ContextHolderAuthenticationResolverFilter.getSecurityContext(ContextHolderAuthenticationResolverFilter.java:74)
	at org.apache.dubbo.spring.security.filter.ContextHolderAuthenticationResolverFilter.invoke(ContextHolderAuthenticationResolverFilter.java:61)
	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349)
	at org.apache.dubbo.rpc.filter.GenericFilter.invoke(GenericFilter.java:222)
	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349)
	at org.apache.dubbo.rpc.protocol.tri.h12.HttpContextFilter.invoke(HttpContextFilter.java:38)
	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349)
	at org.apache.dubbo.rpc.filter.ClassLoaderFilter.invoke(ClassLoaderFilter.java:54)
	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349)
	at org.apache.dubbo.rpc.filter.EchoFilter.invoke(EchoFilter.java:41)
	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349)
	at org.apache.dubbo.metrics.filter.MetricsFilter.invoke(MetricsFilter.java:86)
	at org.apache.dubbo.metrics.filter.MetricsProviderFilter.invoke(MetricsProviderFilter.java:37)
	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349)
	at org.apache.dubbo.tracing.filter.ObservationReceiverFilter.invoke(ObservationReceiverFilter.java:59)
	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349)
	at org.apache.dubbo.rpc.filter.ProfilerServerFilter.invoke(ProfilerServerFilter.java:66)
	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349)
	at org.apache.dubbo.rpc.filter.ContextFilter.invoke(ContextFilter.java:191)
	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349)
	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CallbackRegistrationInvoker.invoke(FilterChainBuilder.java:197)
	at org.apache.dubbo.rpc.protocol.dubbo.DubboProtocol$1.reply(DubboProtocol.java:167)
	at org.apache.dubbo.remoting.exchange.support.header.HeaderExchangeHandler.handleRequest(HeaderExchangeHandler.java:110)
	at org.apache.dubbo.remoting.exchange.support.header.HeaderExchangeHandler.received(HeaderExchangeHandler.java:205)
	at org.apache.dubbo.remoting.transport.DecodeHandler.received(DecodeHandler.java:52)
	at org.apache.dubbo.remoting.transport.dispatcher.ChannelEventRunnable.run(ChannelEventRunnable.java:64)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at org.apache.dubbo.common.threadlocal.InternalRunnable.run(InternalRunnable.java:39)
	at java.base/java.lang.Thread.run(Thread.java:833)

What you expected to happen

I search issues#11603, but i wanna know if dubbo can support?

Anything else

No response

Are you willing to submit a pull request to fix on your own?

Yes I am willing to submit a pull request on my own!

Code of Conduct

I agree to follow this project's Code of Conduct

The text was updated successfully, but these errors were encountered:

AlbumenJ · 2025-02-11T02:38:04Z

Would you like to fix it?

wzkris · 2025-02-11T03:01:31Z

Would you like to fix it?
Later I will try it

wzkris added component/need-triage Need maintainers to triage type/need-triage Need maintainers to triage labels Feb 11, 2025

github-project-automation bot added this to Dubbo Board Feb 11, 2025

github-project-automation bot moved this to Todo in Dubbo Board Feb 11, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Bug] BearerTokenAuthentication is not in the allowlist #15123

[Bug] BearerTokenAuthentication is not in the allowlist #15123

wzkris commented Feb 11, 2025 •

edited

Loading

AlbumenJ commented Feb 11, 2025

wzkris commented Feb 11, 2025

[Bug] BearerTokenAuthentication is not in the allowlist #15123

[Bug] BearerTokenAuthentication is not in the allowlist #15123

Comments

wzkris commented Feb 11, 2025 • edited Loading

Pre-check

Search before asking

Apache Dubbo Component

Dubbo Version

Steps to reproduce this issue

What you expected to happen

Anything else

Are you willing to submit a pull request to fix on your own?

Code of Conduct

AlbumenJ commented Feb 11, 2025

wzkris commented Feb 11, 2025

wzkris commented Feb 11, 2025 •

edited

Loading