[jira] [Created] (SLING-11924) ModelExporter should not serialize a ResourceResolver
Joerg Hoh created SLING-11924: - Summary: ModelExporter should not serialize a ResourceResolver Key: SLING-11924 URL: https://issues.apache.org/jira/browse/SLING-11924 Project: Sling Issue Type: Task Components: Sling Models Affects Versions: Sling Models Jackson Exporter 1.0.2 Reporter: Joerg Hoh With the addition of {{ResourceResolver.getPropertyMap()}} (SLING-10895) I found that the serialization of a ResourceResolver can fail like this: {noformat} rg.apache.sling.models.factory.ExportException: com.fasterxml.jackson.databind.exc.InvalidDefinitionException: No serializer found for class com.day.cq.wcm.core.impl.policies.ContentPolicyManagerImpl and no properties discovered to create BeanSerializer (to avoid exception, disable SerializationFeature.FAIL_ON_EMPTY_BEANS) (through reference chain: com.myapp.PageImpl[":items"]> [...] > com.myapp.MyModel["resolver"] >org.apache.sling.resourceresolver.impl.ResourceResolverImpl["propertyMap"] >java.util.HashMap["com.day.cq.wcm.core.impl.policies.ContentPolicyAdapterFactory.ContentPolicy"]) at org.apache.sling.models.jacksonexporter.impl.JacksonExporter.export(JacksonExporter.java:138) [org.apache.sling.models.jacksonexporter:1.1.2] at org.apache.sling.models.impl.ModelAdapterFactory.exportModel(ModelAdapterFactory.java:1333) [org.apache.sling.models.impl:1.5.4] {noformat} This is caused by the fact, that a Sling Model class serializes a ResourceResolver, which is problematic for these 2 reasons: * It can fail for the above mentioned reason in an unpredictable way (for example, some code adds items via {{getPropertyMap().put(x,y)}} and the serialization fails at a totally different place. * The serialization of the RR discloses implementation details (e.g. searchpaths, or other things which might be stored in the propertyMap). I am not aware of any reason, why a ResourceResolver should be serialized, instead more specialized types should be used instead. For that reason we should have a way to disable the serialization of the ResourceResolver. For backwards compatibility we can keep the existing behavior as a default, but I also see reasons why it the serialization of the RR should be turned off by default. See also the discussion on sling-dev: https://lists.apache.org/thread/8xl4lgfl5omv3md4drgyqqz3vmfllsom -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [sling-org-apache-sling-models-jacksonexporter] joerghoh opened a new pull request, #7: SLING-11924 disallow the serialization of a ResourceResolver
joerghoh opened a new pull request, #7: URL: https://github.com/apache/sling-org-apache-sling-models-jacksonexporter/pull/7 (no comment) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-models-jacksonexporter] sonarcloud[bot] commented on pull request #7: SLING-11924 disallow the serialization of a ResourceResolver
sonarcloud[bot] commented on PR #7: URL: https://github.com/apache/sling-org-apache-sling-models-jacksonexporter/pull/7#issuecomment-1616745937 SonarCloud Quality Gate failed. [![Quality Gate failed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/failed-16px.png 'Quality Gate failed')](https://sonarcloud.io/dashboard?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7) [![Bug](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/bug-16px.png 'Bug')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=BUG) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=BUG) [![Vulnerability](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/vulnerability-16px.png 'Vulnerability')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=VULNERABILITY) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=VULNERABILITY) [![Security Hotspot](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/security_hotspot-16px.png 'Security Hotspot')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=SECURITY_HOTSPOT) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=SECURITY_HOTSPOT) [![Code Smell](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/code_smell-16px.png 'Code Smell')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=CODE_SMELL) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=CODE_SMELL) [6 Code Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=CODE_SMELL) [![77.8%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/CoverageChart/60-16px.png '77.8%')](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&metric=new_coverage&view=list) [77.8% Coverage](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&metric=new_coverage&view=list) [![0.0%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/Duplications/3-16px.png '0.0%')](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&metric=new_duplicated_lines_density&view=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&metric=new_duplicated_lines_density&view=list) ![idea](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/light_bulb-16px.png 'idea') Catch issues before they fail your Quality Gate with our IDE extension ![sonarlint](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/sonarlint-16px.png 'sonarlint') [SonarLint](https://www.sonarsource.com/products/sonarlint/features/connected-mode/?referrer=sonarcloud-welcome) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-models-jacksonexporter] sonarcloud[bot] commented on pull request #7: SLING-11924 disallow the serialization of a ResourceResolver
sonarcloud[bot] commented on PR #7: URL: https://github.com/apache/sling-org-apache-sling-models-jacksonexporter/pull/7#issuecomment-1616748441 Kudos, SonarCloud Quality Gate passed! [![Quality Gate passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/passed-16px.png 'Quality Gate passed')](https://sonarcloud.io/dashboard?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7) [![Bug](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/bug-16px.png 'Bug')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=BUG) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=BUG) [![Vulnerability](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/vulnerability-16px.png 'Vulnerability')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=VULNERABILITY) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=VULNERABILITY) [![Security Hotspot](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/security_hotspot-16px.png 'Security Hotspot')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=SECURITY_HOTSPOT) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=SECURITY_HOTSPOT) [![Code Smell](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/code_smell-16px.png 'Code Smell')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=CODE_SMELL) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=CODE_SMELL) [3 Code Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=CODE_SMELL) [![100.0%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/CoverageChart/100-16px.png '100.0%')](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&metric=new_coverage&view=list) [100.0% Coverage](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&metric=new_coverage&view=list) [![0.0%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/Duplications/3-16px.png '0.0%')](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&metric=new_duplicated_lines_density&view=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&metric=new_duplicated_lines_density&view=list) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Updated] (SLING-11924) ModelExporter should not serialize a ResourceResolver
[ https://issues.apache.org/jira/browse/SLING-11924?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Joerg Hoh updated SLING-11924: -- Description: With the addition of {{ResourceResolver.getPropertyMap()}} (SLING-10895) I found that the serialization of a ResourceResolver can fail like this: {noformat} rg.apache.sling.models.factory.ExportException: com.fasterxml.jackson.databind.exc.InvalidDefinitionException: No serializer found for class com.day.cq.wcm.core.impl.policies.ContentPolicyManagerImpl and no properties discovered to create BeanSerializer (to avoid exception, disable SerializationFeature.FAIL_ON_EMPTY_BEANS) (through reference chain: com.myapp.PageImpl[":items"]> [...] > com.myapp.MyModel["resolver"] >org.apache.sling.resourceresolver.impl.ResourceResolverImpl["propertyMap"] >java.util.HashMap["com.day.cq.wcm.core.impl.policies.ContentPolicyAdapterFactory.ContentPolicy"]) at org.apache.sling.models.jacksonexporter.impl.JacksonExporter.export(JacksonExporter.java:138) [org.apache.sling.models.jacksonexporter:1.1.2] at org.apache.sling.models.impl.ModelAdapterFactory.exportModel(ModelAdapterFactory.java:1333) [org.apache.sling.models.impl:1.5.4] {noformat} This is caused by the fact, that a Sling Model class serializes a ResourceResolver, which is problematic for these 2 reasons: * It can fail for the above mentioned reason in an unpredictable way (for example, some code adds items via {{getPropertyMap().put(x,y)}} and the serialization fails at a totally different place. * The serialization of the RR discloses implementation details (e.g. searchpaths, or other things which might be stored in the propertyMap). I am not aware of any reason, why a ResourceResolver should be serialized, instead more specialized types should be used instead. For these reasons we should have a way to disable the serialization of the ResourceResolver. For backwards compatibility we can keep the existing behavior as a default, but I also see reasons why it the serialization of the RR should be turned off by default. See also the discussion on sling-dev: https://lists.apache.org/thread/8xl4lgfl5omv3md4drgyqqz3vmfllsom was: With the addition of {{ResourceResolver.getPropertyMap()}} (SLING-10895) I found that the serialization of a ResourceResolver can fail like this: {noformat} rg.apache.sling.models.factory.ExportException: com.fasterxml.jackson.databind.exc.InvalidDefinitionException: No serializer found for class com.day.cq.wcm.core.impl.policies.ContentPolicyManagerImpl and no properties discovered to create BeanSerializer (to avoid exception, disable SerializationFeature.FAIL_ON_EMPTY_BEANS) (through reference chain: com.myapp.PageImpl[":items"]> [...] > com.myapp.MyModel["resolver"] >org.apache.sling.resourceresolver.impl.ResourceResolverImpl["propertyMap"] >java.util.HashMap["com.day.cq.wcm.core.impl.policies.ContentPolicyAdapterFactory.ContentPolicy"]) at org.apache.sling.models.jacksonexporter.impl.JacksonExporter.export(JacksonExporter.java:138) [org.apache.sling.models.jacksonexporter:1.1.2] at org.apache.sling.models.impl.ModelAdapterFactory.exportModel(ModelAdapterFactory.java:1333) [org.apache.sling.models.impl:1.5.4] {noformat} This is caused by the fact, that a Sling Model class serializes a ResourceResolver, which is problematic for these 2 reasons: * It can fail for the above mentioned reason in an unpredictable way (for example, some code adds items via {{getPropertyMap().put(x,y)}} and the serialization fails at a totally different place. * The serialization of the RR discloses implementation details (e.g. searchpaths, or other things which might be stored in the propertyMap). I am not aware of any reason, why a ResourceResolver should be serialized, instead more specialized types should be used instead. For that reason we should have a way to disable the serialization of the ResourceResolver. For backwards compatibility we can keep the existing behavior as a default, but I also see reasons why it the serialization of the RR should be turned off by default. See also the discussion on sling-dev: https://lists.apache.org/thread/8xl4lgfl5omv3md4drgyqqz3vmfllsom > ModelExporter should not serialize a ResourceResolver > - > > Key: SLING-11924 > URL: https://issues.apache.org/jira/browse/SLING-11924 > Project: Sling > Issue Type: Task > Components: Sling Models >Affects Versions: Sling Models Jackson Exporter 1.0.2 >Reporter: Joerg Hoh >Priority: Major > > With the addition of {{ResourceResolver.getPropertyMap()}} (SLING-10895) I > found that the serialization of a ResourceResolver can fail like this: > {noformat} > rg.apache.sling.models.factory.ExportException: > com.fasterxml.jackson.databind.exc.InvalidDefinition
[jira] [Commented] (SLING-11924) ModelExporter should not serialize a ResourceResolver
[ https://issues.apache.org/jira/browse/SLING-11924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17739398#comment-17739398 ] Joerg Hoh commented on SLING-11924: --- PR: https://github.com/apache/sling-org-apache-sling-models-jacksonexporter/pull/7 > ModelExporter should not serialize a ResourceResolver > - > > Key: SLING-11924 > URL: https://issues.apache.org/jira/browse/SLING-11924 > Project: Sling > Issue Type: Task > Components: Sling Models >Affects Versions: Sling Models Jackson Exporter 1.0.2 >Reporter: Joerg Hoh >Priority: Major > > With the addition of {{ResourceResolver.getPropertyMap()}} (SLING-10895) I > found that the serialization of a ResourceResolver can fail like this: > {noformat} > rg.apache.sling.models.factory.ExportException: > com.fasterxml.jackson.databind.exc.InvalidDefinitionException: No serializer > found for class com.day.cq.wcm.core.impl.policies.ContentPolicyManagerImpl > and no properties discovered to create BeanSerializer (to avoid exception, > disable SerializationFeature.FAIL_ON_EMPTY_BEANS) (through reference chain: > com.myapp.PageImpl[":items"]> [...] > com.myapp.MyModel["resolver"] > >org.apache.sling.resourceresolver.impl.ResourceResolverImpl["propertyMap"] > >java.util.HashMap["com.day.cq.wcm.core.impl.policies.ContentPolicyAdapterFactory.ContentPolicy"]) > at > org.apache.sling.models.jacksonexporter.impl.JacksonExporter.export(JacksonExporter.java:138) > [org.apache.sling.models.jacksonexporter:1.1.2] > at > org.apache.sling.models.impl.ModelAdapterFactory.exportModel(ModelAdapterFactory.java:1333) > [org.apache.sling.models.impl:1.5.4] > {noformat} > This is caused by the fact, that a Sling Model class serializes a > ResourceResolver, which is problematic for these 2 reasons: > * It can fail for the above mentioned reason in an unpredictable way (for > example, some code adds items via {{getPropertyMap().put(x,y)}} and the > serialization fails at a totally different place. > * The serialization of the RR discloses implementation details (e.g. > searchpaths, or other things which might be stored in the propertyMap). > I am not aware of any reason, why a ResourceResolver should be serialized, > instead more specialized types should be used instead. > For that reason we should have a way to disable the serialization of the > ResourceResolver. For backwards compatibility we can keep the existing > behavior as a default, but I also see reasons why it the serialization of the > RR should be turned off by default. > See also the discussion on sling-dev: > https://lists.apache.org/thread/8xl4lgfl5omv3md4drgyqqz3vmfllsom -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Assigned] (SLING-11924) ModelExporter should not serialize a ResourceResolver
[ https://issues.apache.org/jira/browse/SLING-11924?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Joerg Hoh reassigned SLING-11924: - Assignee: Joerg Hoh > ModelExporter should not serialize a ResourceResolver > - > > Key: SLING-11924 > URL: https://issues.apache.org/jira/browse/SLING-11924 > Project: Sling > Issue Type: Task > Components: Sling Models >Affects Versions: Sling Models Jackson Exporter 1.0.2 >Reporter: Joerg Hoh >Assignee: Joerg Hoh >Priority: Major > Fix For: Models Jackson Exporter 1.1.4 > > > With the addition of {{ResourceResolver.getPropertyMap()}} (SLING-10895) I > found that the serialization of a ResourceResolver can fail like this: > {noformat} > rg.apache.sling.models.factory.ExportException: > com.fasterxml.jackson.databind.exc.InvalidDefinitionException: No serializer > found for class com.day.cq.wcm.core.impl.policies.ContentPolicyManagerImpl > and no properties discovered to create BeanSerializer (to avoid exception, > disable SerializationFeature.FAIL_ON_EMPTY_BEANS) (through reference chain: > com.myapp.PageImpl[":items"]> [...] > com.myapp.MyModel["resolver"] > >org.apache.sling.resourceresolver.impl.ResourceResolverImpl["propertyMap"] > >java.util.HashMap["com.day.cq.wcm.core.impl.policies.ContentPolicyAdapterFactory.ContentPolicy"]) > at > org.apache.sling.models.jacksonexporter.impl.JacksonExporter.export(JacksonExporter.java:138) > [org.apache.sling.models.jacksonexporter:1.1.2] > at > org.apache.sling.models.impl.ModelAdapterFactory.exportModel(ModelAdapterFactory.java:1333) > [org.apache.sling.models.impl:1.5.4] > {noformat} > This is caused by the fact, that a Sling Model class serializes a > ResourceResolver, which is problematic for these 2 reasons: > * It can fail for the above mentioned reason in an unpredictable way (for > example, some code adds items via {{getPropertyMap().put(x,y)}} and the > serialization fails at a totally different place. > * The serialization of the RR discloses implementation details (e.g. > searchpaths, or other things which might be stored in the propertyMap). > I am not aware of any reason, why a ResourceResolver should be serialized, > instead more specialized types should be used instead. > For these reasons we should have a way to disable the serialization of the > ResourceResolver. For backwards compatibility we can keep the existing > behavior as a default, but I also see reasons why it the serialization of the > RR should be turned off by default. > See also the discussion on sling-dev: > https://lists.apache.org/thread/8xl4lgfl5omv3md4drgyqqz3vmfllsom -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (SLING-11924) ModelExporter should not serialize a ResourceResolver
[ https://issues.apache.org/jira/browse/SLING-11924?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Joerg Hoh updated SLING-11924: -- Fix Version/s: Models Jackson Exporter 1.1.4 > ModelExporter should not serialize a ResourceResolver > - > > Key: SLING-11924 > URL: https://issues.apache.org/jira/browse/SLING-11924 > Project: Sling > Issue Type: Task > Components: Sling Models >Affects Versions: Sling Models Jackson Exporter 1.0.2 >Reporter: Joerg Hoh >Priority: Major > Fix For: Models Jackson Exporter 1.1.4 > > > With the addition of {{ResourceResolver.getPropertyMap()}} (SLING-10895) I > found that the serialization of a ResourceResolver can fail like this: > {noformat} > rg.apache.sling.models.factory.ExportException: > com.fasterxml.jackson.databind.exc.InvalidDefinitionException: No serializer > found for class com.day.cq.wcm.core.impl.policies.ContentPolicyManagerImpl > and no properties discovered to create BeanSerializer (to avoid exception, > disable SerializationFeature.FAIL_ON_EMPTY_BEANS) (through reference chain: > com.myapp.PageImpl[":items"]> [...] > com.myapp.MyModel["resolver"] > >org.apache.sling.resourceresolver.impl.ResourceResolverImpl["propertyMap"] > >java.util.HashMap["com.day.cq.wcm.core.impl.policies.ContentPolicyAdapterFactory.ContentPolicy"]) > at > org.apache.sling.models.jacksonexporter.impl.JacksonExporter.export(JacksonExporter.java:138) > [org.apache.sling.models.jacksonexporter:1.1.2] > at > org.apache.sling.models.impl.ModelAdapterFactory.exportModel(ModelAdapterFactory.java:1333) > [org.apache.sling.models.impl:1.5.4] > {noformat} > This is caused by the fact, that a Sling Model class serializes a > ResourceResolver, which is problematic for these 2 reasons: > * It can fail for the above mentioned reason in an unpredictable way (for > example, some code adds items via {{getPropertyMap().put(x,y)}} and the > serialization fails at a totally different place. > * The serialization of the RR discloses implementation details (e.g. > searchpaths, or other things which might be stored in the propertyMap). > I am not aware of any reason, why a ResourceResolver should be serialized, > instead more specialized types should be used instead. > For these reasons we should have a way to disable the serialization of the > ResourceResolver. For backwards compatibility we can keep the existing > behavior as a default, but I also see reasons why it the serialization of the > RR should be turned off by default. > See also the discussion on sling-dev: > https://lists.apache.org/thread/8xl4lgfl5omv3md4drgyqqz3vmfllsom -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [sling-org-apache-sling-models-jacksonexporter] sonarcloud[bot] commented on pull request #7: SLING-11924 disallow the serialization of a ResourceResolver
sonarcloud[bot] commented on PR #7: URL: https://github.com/apache/sling-org-apache-sling-models-jacksonexporter/pull/7#issuecomment-1616756038 Kudos, SonarCloud Quality Gate passed! [![Quality Gate passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/passed-16px.png 'Quality Gate passed')](https://sonarcloud.io/dashboard?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7) [![Bug](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/bug-16px.png 'Bug')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=BUG) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=BUG) [![Vulnerability](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/vulnerability-16px.png 'Vulnerability')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=VULNERABILITY) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=VULNERABILITY) [![Security Hotspot](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/security_hotspot-16px.png 'Security Hotspot')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=SECURITY_HOTSPOT) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=SECURITY_HOTSPOT) [![Code Smell](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/code_smell-16px.png 'Code Smell')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=CODE_SMELL) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=CODE_SMELL) [2 Code Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&resolved=false&types=CODE_SMELL) [![100.0%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/CoverageChart/100-16px.png '100.0%')](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&metric=new_coverage&view=list) [100.0% Coverage](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&metric=new_coverage&view=list) [![0.0%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/Duplications/3-16px.png '0.0%')](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&metric=new_duplicated_lines_density&view=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-models-jacksonexporter&pullRequest=7&metric=new_duplicated_lines_density&view=list) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Updated] (SLING-11924) ModelExporter should not serialize a ResourceResolver
[ https://issues.apache.org/jira/browse/SLING-11924?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Joerg Hoh updated SLING-11924: -- Description: With the addition of {{ResourceResolver.getPropertyMap()}} (SLING-10895) I found that the serialization of a ResourceResolver can fail like this: {noformat} org.apache.sling.models.factory.ExportException: com.fasterxml.jackson.databind.exc.InvalidDefinitionException: No serializer found for class com.day.cq.wcm.core.impl.policies.ContentPolicyManagerImpl and no properties discovered to create BeanSerializer (to avoid exception, disable SerializationFeature.FAIL_ON_EMPTY_BEANS) (through reference chain: com.myapp.PageImpl[":items"]> [...] > com.myapp.MyModel["resolver"] >org.apache.sling.resourceresolver.impl.ResourceResolverImpl["propertyMap"] >java.util.HashMap["com.day.cq.wcm.core.impl.policies.ContentPolicyAdapterFactory.ContentPolicy"]) at org.apache.sling.models.jacksonexporter.impl.JacksonExporter.export(JacksonExporter.java:138) [org.apache.sling.models.jacksonexporter:1.1.2] at org.apache.sling.models.impl.ModelAdapterFactory.exportModel(ModelAdapterFactory.java:1333) [org.apache.sling.models.impl:1.5.4] {noformat} This is caused by the fact, that a Sling Model class serializes a ResourceResolver, which is problematic for these 2 reasons: * It can fail for the above mentioned reason in an unpredictable way (for example, some code adds items via {{getPropertyMap().put(x,y)}} and the serialization fails at a totally different place. * The serialization of the RR discloses implementation details (e.g. searchpaths, or other things which might be stored in the propertyMap). I am not aware of any reason, why a ResourceResolver should be serialized, instead more specialized types should be used instead. For these reasons we should have a way to disable the serialization of the ResourceResolver. For backwards compatibility we can keep the existing behavior as a default, but I also see reasons why it the serialization of the RR should be turned off by default. See also the discussion on sling-dev: https://lists.apache.org/thread/8xl4lgfl5omv3md4drgyqqz3vmfllsom was: With the addition of {{ResourceResolver.getPropertyMap()}} (SLING-10895) I found that the serialization of a ResourceResolver can fail like this: {noformat} rg.apache.sling.models.factory.ExportException: com.fasterxml.jackson.databind.exc.InvalidDefinitionException: No serializer found for class com.day.cq.wcm.core.impl.policies.ContentPolicyManagerImpl and no properties discovered to create BeanSerializer (to avoid exception, disable SerializationFeature.FAIL_ON_EMPTY_BEANS) (through reference chain: com.myapp.PageImpl[":items"]> [...] > com.myapp.MyModel["resolver"] >org.apache.sling.resourceresolver.impl.ResourceResolverImpl["propertyMap"] >java.util.HashMap["com.day.cq.wcm.core.impl.policies.ContentPolicyAdapterFactory.ContentPolicy"]) at org.apache.sling.models.jacksonexporter.impl.JacksonExporter.export(JacksonExporter.java:138) [org.apache.sling.models.jacksonexporter:1.1.2] at org.apache.sling.models.impl.ModelAdapterFactory.exportModel(ModelAdapterFactory.java:1333) [org.apache.sling.models.impl:1.5.4] {noformat} This is caused by the fact, that a Sling Model class serializes a ResourceResolver, which is problematic for these 2 reasons: * It can fail for the above mentioned reason in an unpredictable way (for example, some code adds items via {{getPropertyMap().put(x,y)}} and the serialization fails at a totally different place. * The serialization of the RR discloses implementation details (e.g. searchpaths, or other things which might be stored in the propertyMap). I am not aware of any reason, why a ResourceResolver should be serialized, instead more specialized types should be used instead. For these reasons we should have a way to disable the serialization of the ResourceResolver. For backwards compatibility we can keep the existing behavior as a default, but I also see reasons why it the serialization of the RR should be turned off by default. See also the discussion on sling-dev: https://lists.apache.org/thread/8xl4lgfl5omv3md4drgyqqz3vmfllsom > ModelExporter should not serialize a ResourceResolver > - > > Key: SLING-11924 > URL: https://issues.apache.org/jira/browse/SLING-11924 > Project: Sling > Issue Type: Task > Components: Sling Models >Affects Versions: Sling Models Jackson Exporter 1.0.2 >Reporter: Joerg Hoh >Assignee: Joerg Hoh >Priority: Major > Fix For: Models Jackson Exporter 1.1.4 > > > With the addition of {{ResourceResolver.getPropertyMap()}} (SLING-10895) I > found that the serialization of a ResourceResolver can fail like this: > {noformat} > org.apache.s