Property spring.json.trusted.packages=* doesn't work when also using property spring.json.type.mapping=something:com.example.Something

[idkw]

Affects Version(s): 2.7.3

When using the property spring.json.trusted.packages=* the code at this line clears the trusted packaged :

spring-kafka/spring-kafka/src/main/java/org/springframework/kafka/support/converter/DefaultJackson2JavaTypeMapper.java

Lines 79 to 92 in 3a31b3c

	@Override
	public void addTrustedPackages(String... packagesToTrust) {
	if (packagesToTrust != null) {
	for (String trusted : packagesToTrust) {
	if ("*".equals(trusted)) {
	this.trustedPackages.clear();
	break;
	}
	else {
	this.trustedPackages.add(trusted);
	}
	}
	}
	}

An empty trusted packages list is later interpreted as a "trust all" at :

spring-kafka/spring-kafka/src/main/java/org/springframework/kafka/support/converter/DefaultJackson2JavaTypeMapper.java

Lines 149 to 160 in 3a31b3c

	private boolean isTrustedPackage(String requestedType) {
	if (!this.trustedPackages.isEmpty()) {
	String packageName = ClassUtils.getPackageName(requestedType).replaceFirst("\\[L", "");
	for (String trustedPackage : this.trustedPackages) {
	if (PatternMatchUtils.simpleMatch(trustedPackage, packageName)) {
	return true;
	}
	}
	return false;
	}
	return true;
	}

However when also using the property spring.json.type.mapping=something:com.example.Something the code at this line is adding type mappings to the trusted packages.

spring-kafka/spring-kafka/src/main/java/org/springframework/kafka/support/serializer/JsonDeserializer.java

Lines 390 to 395 in 3a31b3c

	private Map<String, Class<?>> createMappings(Map<String, ?> configs) {
	Map<String, Class<?>> mappings =
	JsonSerializer.createMappings(configs.get(JsonSerializer.TYPE_MAPPINGS).toString());
	addMappingsToTrusted(mappings);
	return mappings;
	}

This means that the trustedPackages collection is no longer empty and the isTrustedPackage check will return false for any class that is not defined in the type mappings even though the property spring.json.trusted.packages=* is supposed to allow everything.

The bug was introduced in that commit
bd49070

The workaround I have for now is to declare type mappings for all classes even the ones I didn't need to, which is not very practical.

[idkw]

Thanks @garyrussell for the fix
I have added a comment on the commit acc7fcf#commitcomment-53179546 to propose a cleaner solution to avoid future similar bug when working on this class