Sling Model Exporter: Prevent serializing of a ResourceResolver

Tue, 27 Jun 2023 04:28:32 -0700 

Hi,

Assuming this Sling Model (using Lombok's @Getter annotation)

@Getter
@Model(
        adaptables = { SlingHttpServletRequest.class },
        adapters = { MyModel.class, ComponentExporter.class },
        resourceType = MyModel.RESOURCE_TYPE)
@Exporter(
        name = ExporterConstants.SLING_MODEL_EXPORTER_NAME,
        extensions = ExporterConstants.SLING_MODEL_EXTENSION)
public class MyModel implements ComponentExporter {

        static final String RESOURCE_TYPE = "myapp/components/mymodel";

        @Inject
        private ResourceResolver resolver;

        @ChildResource
        private List<Resource> items;

}

When it this model is serialized via SlingModelExporter / Jackson, the
resolver field is also exported via the created getResolver()) method.

But serializing that does not always work:

org.apache.sling.models.factory.ExportException:
com.fasterxml.jackson.databind.exc.InvalidDefinitionException: No
serializer found for class
com.day.cq.wcm.core.impl.policies.ContentPolicyManagerImpl and no
properties discovered to create BeanSerializer (to avoid exception, disable
SerializationFeature.FAIL_ON_EMPTY_BEANS) (through reference chain:
com.myapp.PageImpl[":items"]> [...] > com.myapp.MyModel["resolver"]
>org.apache.sling.resourceresolver.impl.ResourceResolverImpl["propertyMap"]
>java.util.HashMap["com.day.cq.wcm.core.impl.policies.ContentPolicyAdapterFactory.ContentPolicy"])
    at
org.apache.sling.models.jacksonexporter.impl.JacksonExporter.export(JacksonExporter.java:138)
[org.apache.sling.models.jacksonexporter:1.1.2]
    at
org.apache.sling.models.impl.ModelAdapterFactory.exportModel(ModelAdapterFactory.java:1333)
[org.apache.sling.models.impl:1.5.4]


I don't want to check each class I want to add to the propertyMap if it can
be serialized or not; and a more serious problem is that serializing the
resourceResolver and it's properyMap can leak a lot of information, which
should be not get public.

Do you see a way to prevent serialization of the ResourceResolver (and
potentially other types as well) without touching the model classes?

Jörg

-- 
Cheers,
Jörg Hoh,

https://cqdump.joerghoh.de
Twitter: @joerghoh

Reply via email to