README.in

## dixmont

Some useful extension classes for [jackson](https://github.com/FasterXML/jackson).

### Features

* Restricted JSON deserializer for preventing reflection-based serialization attacks.
* Written in pure Java 21.
* [OSGi](https://www.osgi.org/) ready.
* [JPMS](https://en.wikipedia.org/wiki/Java_Platform_Module_System) ready.
* ISC license.
* High-coverage automated test suite.

### Motivation

Systems that use reflection to deserialize data are typically subject to
[deserialization attacks](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html).
The [jackson](https://github.com/FasterXML/jackson) JSON library is no
exception to this.

The `dixmont` package provides a blunt and brute-force means to reduce the
impact of attacks: All of the permitted classes that can be deserialized are
listed, and everything else is rejected.

### Building

```
$ mvn clean verify
```

### Usage

Create a restricted serializer that is permitted to deserialize only the
given classes and no others, and then register it with an `ObjectMapper`:

```
var serializers =
  DmJsonRestrictedDeserializers.builder()
    .allowClass(Optional.class)
    .allowClass(Path.class)
    .allowClass(String.class)
    .allowClass(URI.class)
    .allowClass(int.class)
    .allowClass(double.class)
    .allowClass(List.class)
    .allowClassName(
      "java.util.Optional<java.lang.Integer>")
    .allowClassName(
      "java.util.List<java.lang.String>")
    .build();

var mapper =
  JsonMapper.builder()
    .build();

final var simpleModule = new SimpleModule();
simpleModule.setDeserializers(this.serializers);
mapper.registerModule(simpleModule);
```

Parser code using the given `ObjectMapper` will be prevented from deserializing
values of anything other than the given classes. Hostile JSON text that attempts
to get the deserializer to instantiate other classes will fail.