Consider DefaultTyping configuration in Jackson Serializers.

We're exploring whether it makes sense to accept a `DefaultTyping` config option for Jackson serializer configuration.

Author: mp911de

src/main/java/org/springframework/data/redis/serializer/GenericJackson2JsonRedisSerializer.java

@@ -135,7 +135,8 @@ public GenericJackson2JsonRedisSerializer(@Nullable String typeHintPropertyName,
 
 		registerNullValueSerializer(this.mapper, typeHintPropertyName);
 
-		this.mapper.setDefaultTyping(createDefaultTypeResolverBuilder(getObjectMapper(), typeHintPropertyName));
+		this.mapper.setDefaultTyping(createDefaultTypeResolverBuilder(
+				GenericJackson2JsonRedisSerializerBuilder.DEFAULT_TYPING, getObjectMapper(), typeHintPropertyName));
 	}
 
 	/**
@@ -216,10 +217,12 @@ private static Lazy<String> getConfiguredTypeDeserializationPropertyName(ObjectM
 		});
 	}
 
-	private static StdTypeResolverBuilder createDefaultTypeResolverBuilder(ObjectMapper objectMapper,
+	private static StdTypeResolverBuilder createDefaultTypeResolverBuilder(@Nullable DefaultTyping defaultTyping,
+			ObjectMapper objectMapper,
 			@Nullable String typeHintPropertyName) {
 
-		StdTypeResolverBuilder typer = TypeResolverBuilder.forEverything(objectMapper).init(JsonTypeInfo.Id.CLASS, null)
+		StdTypeResolverBuilder typer = TypeResolverBuilder.forTyping(defaultTyping, objectMapper)
+				.init(JsonTypeInfo.Id.CLASS, null)
 				.inclusion(As.PROPERTY);
 
 		if (StringUtils.hasText(typeHintPropertyName)) {
@@ -464,6 +467,8 @@ public void serializeWithType(NullValue value, JsonGenerator jsonGenerator, Seri
 	 */
 	public static class GenericJackson2JsonRedisSerializerBuilder {
 
+		private static final DefaultTyping DEFAULT_TYPING = DefaultTyping.EVERYTHING;
+
 		private @Nullable String typeHintPropertyName;
 
 		private Jackson2ObjectReader reader = Jackson2ObjectReader.create();
@@ -472,7 +477,9 @@ public static class GenericJackson2JsonRedisSerializerBuilder {
 
 		private @Nullable ObjectMapper objectMapper;
 
-		private @Nullable Boolean defaultTyping;
+		private @Nullable Boolean defaultTypingEnabled;
+
+		private @Nullable DefaultTyping defaultTyping;
 
 		private boolean registerNullValueSerializer = true;
 
@@ -490,6 +497,22 @@ private GenericJackson2JsonRedisSerializerBuilder() {}
 		 * @return this {@link GenericJackson2JsonRedisSerializer.GenericJackson2JsonRedisSerializerBuilder}.
 		 */
 		public GenericJackson2JsonRedisSerializerBuilder defaultTyping(boolean defaultTyping) {
+			this.defaultTypingEnabled = defaultTyping;
+			this.defaultTyping = defaultTyping ? DEFAULT_TYPING : null;
+			return this;
+		}
+
+		/**
+		 * Enable default typing by setting {@link DefaultTyping}. Enabling default typing will override
+		 * {@link ObjectMapper#setDefaultTyping(com.fasterxml.jackson.databind.jsontype.TypeResolverBuilder)} for a given
+		 * {@link ObjectMapper}. Default typing is enabled by default if no {@link ObjectMapper} is provided.
+		 *
+		 * @param defaultTyping the default typing mode.
+		 * @return this {@link GenericJackson2JsonRedisSerializer.GenericJackson2JsonRedisSerializerBuilder}.
+		 * @since 4.0.3
+		 */
+		public GenericJackson2JsonRedisSerializerBuilder defaultTyping(DefaultTyping defaultTyping) {
+			this.defaultTypingEnabled = true;
 			this.defaultTyping = defaultTyping;
 			return this;
 		}
@@ -599,9 +622,11 @@ public GenericJackson2JsonRedisSerializer build() {
 								: new NullValueSerializer(this.typeHintPropertyName)));
 			}
 
-			if ((!providedObjectMapper && (defaultTyping == null || defaultTyping))
-					|| (defaultTyping != null && defaultTyping)) {
-				objectMapper.setDefaultTyping(createDefaultTypeResolverBuilder(objectMapper, typeHintPropertyName));
+			// enable default typing by default unless providing ObjectMapper or defaultTypingEnabled is explicitly set.
+			if ((!providedObjectMapper && (defaultTypingEnabled == null || defaultTypingEnabled))
+					|| (defaultTypingEnabled != null && defaultTypingEnabled)) {
+				objectMapper
+						.setDefaultTyping(createDefaultTypeResolverBuilder(defaultTyping, objectMapper, typeHintPropertyName));
 			}
 
 			return new GenericJackson2JsonRedisSerializer(objectMapper, this.reader, this.writer, this.typeHintPropertyName);
@@ -619,12 +644,17 @@ public GenericJackson2JsonRedisSerializer build() {
 	 */
 	private static class TypeResolverBuilder extends ObjectMapper.DefaultTypeResolverBuilder {
 
-		static TypeResolverBuilder forEverything(ObjectMapper mapper) {
-			return new TypeResolverBuilder(DefaultTyping.EVERYTHING, mapper.getPolymorphicTypeValidator());
+		private final DefaultTyping typing;
+
+		static TypeResolverBuilder forTyping(@Nullable DefaultTyping defaultTyping, ObjectMapper mapper) {
+			return new TypeResolverBuilder(
+					defaultTyping == null ? GenericJackson2JsonRedisSerializerBuilder.DEFAULT_TYPING : defaultTyping,
+					mapper.getPolymorphicTypeValidator());
 		}
 
 		public TypeResolverBuilder(DefaultTyping typing, PolymorphicTypeValidator polymorphicTypeValidator) {
 			super(typing, polymorphicTypeValidator);
+			this.typing = typing;
 		}
 
 		@Override
@@ -646,6 +676,10 @@ public boolean useForType(JavaType javaType) {
 
 			javaType = resolveArrayOrWrapper(javaType);
 
+			if (javaType.isEnumType() && typing != DefaultTyping.EVERYTHING) {
+				return super.useForType(javaType);
+			}
+
 			if (javaType.isEnumType() || ClassUtils.isPrimitiveOrWrapper(javaType.getRawClass())) {
 				return false;
 			}
@@ -655,6 +689,10 @@ public boolean useForType(JavaType javaType) {
 				return false;
 			}
 
+			if (typing != GenericJackson2JsonRedisSerializerBuilder.DEFAULT_TYPING) {
+				return super.useForType(javaType);
+			}
+
 			// [databind#88] Should not apply to JSON tree models:
 			return !TreeNode.class.isAssignableFrom(javaType.getRawClass());
 		}

src/main/java/org/springframework/data/redis/serializer/GenericJacksonJsonRedisSerializer.java

@@ -263,10 +263,12 @@ private static Lazy<String> getConfiguredTypeDeserializationPropertyName(ObjectM
 	 */
 	public static class GenericJacksonJsonRedisSerializerBuilder<B extends MapperBuilder<? extends ObjectMapper, ? extends MapperBuilder<?, ?>>> {
 
+		private static final DefaultTyping DEFAULT_TYPING = DefaultTyping.NON_FINAL;
+
 		private final Supplier<B> builderFactory;
 
 		private boolean cacheNullValueSupportEnabled = false;
-		private boolean defaultTyping = false;
+		private @Nullable DefaultTyping defaultTyping = null;
 		private @Nullable String typePropertyName;
 		private PolymorphicTypeValidator typeValidator = BasicPolymorphicTypeValidator.builder()
 				.allowIfBaseType(Object.class).allowIfSubType((ctx, clazz) -> true).build();
@@ -323,7 +325,28 @@ public GenericJacksonJsonRedisSerializerBuilder<B> enableSpringCacheNullValueSup
 		@Contract("-> this")
 		public GenericJacksonJsonRedisSerializerBuilder<B> enableUnsafeDefaultTyping() {
 
-			this.defaultTyping = true;
+			withDefaultTyping();
+			return this;
+		}
+
+		/**
+		 * Enables
+		 * {@link JsonMapper.Builder#activateDefaultTypingAsProperty(PolymorphicTypeValidator, DefaultTyping, String)
+		 * default typing} without any type validation constraints.
+		 * <p>
+		 * <strong>WARNING</strong>: without restrictions of the {@link PolymorphicTypeValidator} deserialization is
+		 * vulnerable to arbitrary code execution when reading from untrusted sources.
+		 *
+		 * @param defaultTyping the default typing mode to use.
+		 * @return {@code this} builder.
+		 * @since 4.0.3
+		 * @see <a href=
+		 *      "https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data">https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data</a>
+		 */
+		@Contract("_ -> this")
+		public GenericJacksonJsonRedisSerializerBuilder<B> defaultTyping(DefaultTyping defaultTyping) {
+
+			this.defaultTyping = defaultTyping;
 			return this;
 		}
 
@@ -338,8 +361,8 @@ public GenericJacksonJsonRedisSerializerBuilder<B> enableUnsafeDefaultTyping() {
 		public GenericJacksonJsonRedisSerializerBuilder<B> enableDefaultTyping(PolymorphicTypeValidator typeValidator) {
 
 			typeValidator(typeValidator);
+			withDefaultTyping();
 
-			this.defaultTyping = true;
 			return this;
 		}
 
@@ -372,6 +395,15 @@ public GenericJacksonJsonRedisSerializerBuilder<B> typePropertyName(String typeP
 			return this;
 		}
 
+		/**
+		 * Enable default typing using {@link DefaultTyping#NON_FINAL} if not already configured.
+		 */
+		private void withDefaultTyping() {
+			if (this.defaultTyping == null) {
+				defaultTyping(DEFAULT_TYPING);
+			}
+		}
+
 		/**
 		 * Configures the {@link JacksonObjectWriter}.
 		 *
@@ -440,10 +472,10 @@ public GenericJacksonJsonRedisSerializer build() {
 				}));
 			}
 
-			if (defaultTyping) {
+			if (defaultTyping != null) {
 
 				GenericJacksonJsonRedisSerializer.TypeResolverBuilder resolver = new GenericJacksonJsonRedisSerializer.TypeResolverBuilder(
-						typeValidator, DefaultTyping.NON_FINAL, JsonTypeInfo.As.PROPERTY, JsonTypeInfo.Id.CLASS, typePropertyName);
+						typeValidator, defaultTyping, JsonTypeInfo.As.PROPERTY, JsonTypeInfo.Id.CLASS, typePropertyName);
 
 				mapperBuilder.configure(DeserializationFeature.FAIL_ON_MISSING_EXTERNAL_TYPE_ID_PROPERTY, false)
 						.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false).setDefaultTyping(resolver);
@@ -596,17 +628,13 @@ public void setupModule(SetupContext context) {
 
 	private static class TypeResolverBuilder extends DefaultTypeResolverBuilder {
 
-		public TypeResolverBuilder(PolymorphicTypeValidator subtypeValidator, DefaultTyping t, JsonTypeInfo.As includeAs) {
-			super(subtypeValidator, t, includeAs);
-		}
-
-		public TypeResolverBuilder(PolymorphicTypeValidator subtypeValidator, DefaultTyping t, String propertyName) {
-			super(subtypeValidator, t, propertyName);
-		}
+		private final DefaultTyping defaultTyping;
 
-		public TypeResolverBuilder(PolymorphicTypeValidator subtypeValidator, DefaultTyping t, JsonTypeInfo.As includeAs,
+		public TypeResolverBuilder(PolymorphicTypeValidator subtypeValidator, DefaultTyping defaultTyping,
+				JsonTypeInfo.As includeAs,
 				JsonTypeInfo.Id idType, @Nullable String propertyName) {
-			super(subtypeValidator, t, includeAs, idType, propertyName);
+			super(subtypeValidator, defaultTyping, includeAs, idType, propertyName);
+			this.defaultTyping = defaultTyping;
 		}
 
 		@Override
@@ -628,6 +656,10 @@ public boolean useForType(JavaType javaType) {
 
 			javaType = resolveArrayOrWrapper(javaType);
 
+			if (javaType.isEnumType() && defaultTyping != GenericJacksonJsonRedisSerializerBuilder.DEFAULT_TYPING) {
+				return super.useForType(javaType);
+			}
+
 			if (javaType.isEnumType() || ClassUtils.isPrimitiveOrWrapper(javaType.getRawClass())) {
 				return false;
 			}
@@ -637,6 +669,10 @@ public boolean useForType(JavaType javaType) {
 				return false;
 			}
 
+			if (defaultTyping != GenericJacksonJsonRedisSerializerBuilder.DEFAULT_TYPING) {
+				return super.useForType(javaType);
+			}
+
 			// [databind#88] Should not apply to JSON tree models:
 			return !TreeNode.class.isAssignableFrom(javaType.getRawClass());
 		}

src/test/java/org/springframework/data/redis/serializer/GenericJackson2JsonRedisSerializerUnitTests.java

@@ -64,6 +64,7 @@
  * @author Mark Paluch
  * @author John Blum
  */
+@SuppressWarnings("removal")
 class GenericJackson2JsonRedisSerializerUnitTests {
 
 	private static final SimpleObject SIMPLE_OBJECT = new SimpleObject(1L);
@@ -402,6 +403,40 @@ void deserializesEnumFromBytes() {
 				.isEqualTo(EnumType.TWO);
 	}
 
+	@Test // GH-3306
+	void serializesNonFinalIntoBytesWithTypeHint() {
+
+		GenericJackson2JsonRedisSerializer serializer = GenericJackson2JsonRedisSerializer.builder()
+				.defaultTyping(DefaultTyping.NON_FINAL_AND_ENUMS).build();
+
+		assertThat(new String(serializer.serialize(EnumType.ONE)))
+				.isEqualTo("[\"%s\",\"ONE\"]".formatted(EnumType.class.getName()));
+	}
+
+	@Test // GH-3306
+	void deserializesEnumFromBytesWithTypeHint() {
+
+		GenericJackson2JsonRedisSerializer serializer = GenericJackson2JsonRedisSerializer.builder()
+				.defaultTyping(DefaultTyping.NON_FINAL_AND_ENUMS).build();
+
+		assertThat(serializer.deserialize(
+				"[\"%s\",\"TWO\"]".formatted(EnumType.class.getName()).getBytes(StandardCharsets.UTF_8), EnumType.class))
+				.isEqualTo(EnumType.TWO);
+	}
+
+	@Test // GH-3306
+	void serializesRecordIntoBytesWithout() {
+
+		GenericJackson2JsonRedisSerializer serializer = GenericJackson2JsonRedisSerializer.builder()
+				.defaultTyping(DefaultTyping.NON_FINAL_AND_ENUMS).build();
+
+		record Foo(String hello) {
+
+		}
+
+		assertThat(new String(serializer.serialize(new Foo("world")))).isEqualTo("{\"hello\":\"world\"}");
+	}
+
 	@Test // GH-2396
 	void serializesJavaTimeIntoBytes() {
 

src/test/java/org/springframework/data/redis/serializer/GenericJacksonJsonRedisSerializerUnitTests.java

@@ -344,21 +344,53 @@ void deserializesUUIDFromBytes() {
 
 	@Test // GH-2396
 	void serializesEnumIntoBytes() {
-
-		GenericJacksonJsonRedisSerializer serializer = this.serializer;
-
-		assertThat(serializer.serialize(EnumType.ONE)).isEqualTo(("\"ONE\"").getBytes(StandardCharsets.UTF_8));
+		assertThat(new String(serializer.serialize(EnumType.ONE))).isEqualTo(("\"ONE\""));
 	}
 
 	@Test // GH-2396
 	void deserializesEnumFromBytes() {
 
-		GenericJacksonJsonRedisSerializer serializer = this.serializer;
-
 		assertThat(serializer.deserialize("\"TWO\"".getBytes(StandardCharsets.UTF_8), EnumType.class))
 				.isEqualTo(EnumType.TWO);
 	}
 
+	@Test // GH-3306
+	void serializesEnumIntoBytesWithTypeHint() {
+
+		GenericJacksonJsonRedisSerializer serializer = GenericJacksonJsonRedisSerializer.create(it -> {
+			it.defaultTyping(DefaultTyping.NON_FINAL_AND_ENUMS);
+		});
+
+		assertThat(new String(serializer.serialize(EnumType.ONE)))
+				.isEqualTo("[\"%s\",\"ONE\"]".formatted(EnumType.class.getName()));
+	}
+
+	@Test // GH-3306
+	void deserializesEnumFromBytesWithTypeHint() {
+
+		GenericJacksonJsonRedisSerializer serializer = GenericJacksonJsonRedisSerializer.create(it -> {
+			it.defaultTyping(DefaultTyping.NON_FINAL_AND_ENUMS);
+		});
+
+		assertThat(serializer.deserialize(
+				"[\"%s\",\"TWO\"]".formatted(EnumType.class.getName()).getBytes(StandardCharsets.UTF_8), EnumType.class))
+				.isEqualTo(EnumType.TWO);
+	}
+
+	@Test // GH-3306
+	void serializesRecordIntoBytesWithoutHint() {
+
+		GenericJacksonJsonRedisSerializer serializer = GenericJacksonJsonRedisSerializer.create(it -> {
+			it.defaultTyping(DefaultTyping.NON_FINAL_AND_ENUMS);
+		});
+
+		record Foo(String hello) {
+
+		}
+
+		assertThat(new String(serializer.serialize(new Foo("world")))).isEqualTo("{\"hello\":\"world\"}");
+	}
+
 	@Test // GH-2396
 	void serializesJavaTimeIntoBytes() {