Issue
- We have a WAR portlet that uses JSONFactoryUtil.looseDeserialize method.
- Also, our class is defined as whitelisted. See following:
json.deserialization.whitelist.class.names=\
com.liferay.portal.kernel.cal.DayAndPosition,\
com.liferay.portal.kernel.cal.Duration,\
com.liferay.portal.kernel.cal.TZSRecurrence,\
com.liferay.portal.kernel.internal.service.permission.ModelPermissionsImpl,\
com.liferay.portal.kernel.messaging.Message,\
com.liferay.portal.kernel.model.PortletPreferencesIds,\
com.liferay.portal.kernel.security.auth.HttpPrincipal,\
com.liferay.portal.kernel.service.ServiceContext,\
com.liferay.portal.kernel.util.HtmlEscapableObject,\
com.liferay.portal.kernel.util.GroupSubscriptionCheckSubscriptionSender,\
com.liferay.portal.kernel.util.LongWrapper,\
com.liferay.portal.kernel.util.SubscriptionSender,\
com.liferay.portal.kernel.util.SubscriptionSender$HTMLAtributeEscapableObject,\
com.liferay.portal.kernel.util.SubscriptionSender$URIEscapableObject,\
com.liferay.portal.kernel.util.Tuple,\
java.util.GregorianCalendar,\
java.util.Locale,\
java.util.TimeZone,\
sun.util.calendar.ZoneInfo,\
com.acme.MyClass
- But when we use that method we get a HashMap object instead of com.acme.MyClass as expected.
Resolution
- There is another available method to get the expected result:
JSONFactoryUtil.deserialize(String json)
- This method provides a deserializing procedure that uses the property
json.deserialization.whitelist.class.names
- Whereas the refered method
JSONFactoryUtil.looseDeserialize(String json)
does not use that property. As result, the deserializing procedure is not completed.
- Thus, you have to use JSONFactoryUtil.deserialize(String json) method.