Fix part of #4160: remove DefaultTyping.EVERYTHING from 3.0 (#4174)

Author: cowtowncoder

release-notes/VERSION

@@ -55,5 +55,6 @@ Versions: 3.x (for earlier see VERSION-2.x)
 #3536: Create new exception type `JsonNodeException` for use by `JsonNode`-related problems
 #3542: Rename "com.fasterxml.jackson" -> "tools.jackson"
 #3601: Change `Optional` deserialization from "absent" value into `null`, from "empty"
+$4160: Deprecate `DefaultTyping.EVERYTHING` in `2.x` and remove in `3.0`
 - Remove `MappingJsonFactory`
 - Add context parameter for `TypeSerializer` contextualization (`forProperty()`)

src/main/java/tools/jackson/databind/DefaultTyping.java

@@ -47,28 +47,7 @@ public enum DefaultTyping {
     /**
      * Enables default typing for non-final types as {@link #NON_FINAL},
      * but also includes Enums.
-     * Designed to allow default typing of Enums without resorting to
-     * {@link #EVERYTHING}, which has security implications.
      */
-    NON_FINAL_AND_ENUMS,
-
-    /**
-     * Value that means that default typing will be used for
-     * all types, with exception of small number of
-     * "natural" types (String, Boolean, Integer, Double) that
-     * can be correctly inferred from JSON, and primitives (which
-     * can not be polymorphic either). Typing is also enabled for
-     * all array types.
-     *<p>
-     * WARNING: most of the time this is <b>NOT</b> the setting you want
-     * as it tends to add Type Ids everywhere, even in cases
-     * where type can not be anything other than declared (for example
-     * if declared value type of a property is {@code final} -- for example,
-     * properties of type {@code long} (or wrapper {@code Long}).
-     *<p>
-     * Note that the only known use case for this setting is for serialization
-     * when passing instances of final class, and base type is not
-     * separately specified.
-     */
-    EVERYTHING;
+    NON_FINAL_AND_ENUMS
+    ;
 }

src/main/java/tools/jackson/databind/jsontype/impl/DefaultTypeResolverBuilder.java

@@ -157,11 +157,6 @@ public boolean useForType(JavaType t)
                     // [databind#3569] Allow use of default typing for Enums
                     || t.isEnumType();
 
-        case EVERYTHING:
-            // So, excluding primitives (handled earlier) and "Natural types" (handled
-            // before this method is called), applied to everything
-            return true;
-
         default:
         case JAVA_LANG_OBJECT:
             return t.isJavaLangObject();

src/test-jdk11/java/tools/jackson/databind/jdk9/Java9ListsTest.java

@@ -8,6 +8,7 @@
 import tools.jackson.databind.BaseMapTest;
 import tools.jackson.databind.DefaultTyping;
 import tools.jackson.databind.ObjectMapper;
+import tools.jackson.databind.ObjectWriter;
 import tools.jackson.databind.json.JsonMapper;
 import tools.jackson.databind.testutil.NoCheckSubTypeValidator;
 
@@ -17,7 +18,7 @@ public class Java9ListsTest extends BaseMapTest
     private final ObjectMapper MAPPER = JsonMapper.builder()
             .activateDefaultTypingAsProperty(
                     NoCheckSubTypeValidator.instance,
-                    DefaultTyping.EVERYTHING,
+                    DefaultTyping.NON_FINAL,
                  "@class"
             ).build();
 
@@ -39,56 +40,59 @@ public void testJava9ListOf() throws Exception
 System.err.println(" final? "+type.isFinal());
          }
          */
-         String actualJson = MAPPER.writeValueAsString(list);
+         ObjectWriter w = MAPPER.writerFor(List.class);
+         String actualJson = w.writeValueAsString(list);
          List<?>  output = MAPPER.readValue(actualJson, List.class);
          assertEquals(1, output.size());
 
          // and couple of alternatives:
          list = List.of("a", "b");
-         actualJson = MAPPER.writeValueAsString(list);
+         actualJson = w.writeValueAsString(list);
          output = MAPPER.readValue(actualJson, List.class);
          assertEquals(2, output.size());
 
          list = List.of("a", "b", "c");
-         actualJson = MAPPER.writeValueAsString(list);
+         actualJson = w.writeValueAsString(list);
          output = MAPPER.readValue(actualJson, List.class);
          assertEquals(3, output.size());
 
          list = List.of();
-         actualJson = MAPPER.writeValueAsString(list);
+         actualJson = w.writeValueAsString(list);
          output = MAPPER.readValue(actualJson, List.class);
          assertEquals(0, output.size());
     }
 
     public void testJava9MapOf() throws Exception
     {
+        ObjectWriter w = MAPPER.writerFor(Map.class);
         Map<String,String> map = Map.of("key", "value");
-        String actualJson = MAPPER.writeValueAsString(map);
+        String actualJson = w.writeValueAsString(map);
         Map<?,?>  output = MAPPER.readValue(actualJson, Map.class);
         assertEquals(1, output.size());
 
         // and alternatives
         map = Map.of("key", "value", "foo", "bar");
-        actualJson = MAPPER.writeValueAsString(map);
+        actualJson = w.writeValueAsString(map);
         output = MAPPER.readValue(actualJson, Map.class);
         assertEquals(2, output.size());
 
         map = Map.of("key", "value", "foo", "bar", "last", "one");
-        actualJson = MAPPER.writeValueAsString(map);
+        actualJson = w.writeValueAsString(map);
         output = MAPPER.readValue(actualJson, Map.class);
         assertEquals(3, output.size());
 
         map = Map.of();
-        actualJson = MAPPER.writeValueAsString(map);
+        actualJson = w.writeValueAsString(map);
         output = MAPPER.readValue(actualJson, Map.class);
         assertEquals(0, output.size());
     }
 
     // [databind#3344]
     public void testJava9SetOf() throws Exception
     {
+        ObjectWriter w = MAPPER.writerFor(Set.class);
         Set<?> set = Set.of("a", "b", "c");
-        String actualJson = MAPPER.writeValueAsString(set);
+        String actualJson = w.writeValueAsString(set);
         Set<?> output = MAPPER.readValue(actualJson, Set.class);
         assertTrue(output instanceof Set<?>);
         assertEquals(set, output);

src/test-jdk17/java/tools/jackson/databind/jdk17/Java17CollectionsTest.java

@@ -7,6 +7,7 @@
 import tools.jackson.databind.BaseMapTest;
 import tools.jackson.databind.DefaultTyping;
 import tools.jackson.databind.ObjectMapper;
+import tools.jackson.databind.ObjectWriter;
 import tools.jackson.databind.json.JsonMapper;
 import tools.jackson.databind.testutil.NoCheckSubTypeValidator;
 
@@ -15,20 +16,21 @@ public class Java17CollectionsTest extends BaseMapTest
     private final ObjectMapper MAPPER = JsonMapper.builder()
             .activateDefaultTypingAsProperty(
                  new NoCheckSubTypeValidator(),
-                 DefaultTyping.EVERYTHING,
+                 DefaultTyping.NON_FINAL,
                  "@class"
             ).build();
 
     // [databind#3404]
     public void testJava9StreamOf() throws Exception
     {
+        ObjectWriter w = MAPPER.writerFor(List.class);
         List<String> input = Stream.of("a", "b", "c").collect(Collectors.toList());
-        String actualJson = MAPPER.writeValueAsString(input);
+        String actualJson = w.writeValueAsString(input);
         List<?> result = MAPPER.readValue(actualJson, List.class);
         assertEquals(input, result);
 
         input = Stream.of("a", "b", "c").toList();
-        actualJson = MAPPER.writeValueAsString(input);
+        actualJson = w.writeValueAsString(input);
         result = MAPPER.readValue(actualJson, List.class);
         assertEquals(input, result);
     }

src/test/java/tools/jackson/databind/jsontype/deftyping/TestDefaultForObject.java

@@ -415,12 +415,15 @@ public void testWithFinalClass() throws Exception
         assertEquals(a2q("{'name':'abc'}"),
                 mapper.writeValueAsString(new FinalStringBean("abc")));
 
+        // 23-Oct-2023, tatu: [databind#4160] Remove "EVERYTHING" option
+        /*
         mapper = jsonMapperBuilder()
                 .activateDefaultTyping(NoCheckSubTypeValidator.instance,
                         DefaultTyping.EVERYTHING)
                 .build();
         assertEquals(a2q("['"+FinalStringBean.class.getName()+"',{'name':'abc'}]"),
                 mapper.writeValueAsString(new FinalStringBean("abc")));
+                */
     }
 
     /*

src/test/java/tools/jackson/databind/jsontype/vld/BasicPTVKnownTypesTest.java

@@ -13,7 +13,7 @@ public class BasicPTVKnownTypesTest extends BaseMapTest
             .activateDefaultTyping(BasicPolymorphicTypeValidator.builder()
                     .allowSubTypesWithExplicitDeserializer()
                     .build(),
-                    DefaultTyping.EVERYTHING)
+                    DefaultTyping.NON_FINAL_AND_ENUMS)
             .build();
 
     static class Dangerous {

src/test/java/tools/jackson/databind/jsontype/vld/CustomPTVMatchersTest.java

@@ -1,6 +1,6 @@
 package tools.jackson.databind.jsontype.vld;
 
-import java.net.URL;
+import java.util.TimeZone;
 
 import tools.jackson.databind.BaseMapTest;
 import tools.jackson.databind.DefaultTyping;
@@ -51,7 +51,7 @@ public void testCustomBaseMatchers() throws Exception
                 .allowIfBaseType((ctxt, base) -> base.getName().startsWith("tools.jackson." ))
                 .build();
         ObjectMapper mapper = jsonMapperBuilder()
-                .activateDefaultTyping(ptv, DefaultTyping.EVERYTHING)
+                .activateDefaultTyping(ptv, DefaultTyping.NON_FINAL)
                 .build();
         // First: in this case, allow "Bad" one too (note: default typing based on
         // runtime type here)
@@ -60,12 +60,13 @@ public void testCustomBaseMatchers() throws Exception
         assertEquals(CustomBad.class, result.getClass());
 
         // but other types not so good
-        final String badJson = mapper.writeValueAsString(new URL("http://localhost") );
+        // NOTE! Need to use non-final type (2.x used java.net.URL)
+        final String badJson = mapper.writeValueAsString(TimeZone.getDefault());
         try {
-            mapper.readValue(badJson, URL.class);
+            mapper.readValue(badJson, TimeZone.class);
             fail("Should not pass");
         } catch (InvalidTypeIdException e) {
-            verifyException(e, "Could not resolve type id 'java.net.URL'");
+            verifyException(e, "Could not resolve type id 'java.util.TimeZone'");
             verifyException(e, "as a subtype of");
         }
         assertEquals(CustomBad.class, result.getClass());