Restrict ScimJacksonXmlBindJsonProvider to only handling SCIMple classes

Previously application/json requests may have lost any custom extension data. This change adds applicaiton/json to the list of supproted media types (as recommended by the SCIM specs), but restricts it's types to ONLY classes known by SCIMple, and allows other MessageBodyReader/Writer to handle other requests Fixes: #390
apache · Nov 3, 2023 · 3723b4b · 3723b4b
1 parent 6634530
commit 3723b4b
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 4 deletions.
diff --git a/scim-compliance-tests/src/main/java/org/apache/directory/scim/compliance/tests/UsersIT.java b/scim-compliance-tests/src/main/java/org/apache/directory/scim/compliance/tests/UsersIT.java
@@ -188,7 +188,7 @@ public void userNameByFilter() {
 
     get("/Users", Map.of("filter", "userName eq \"" + userName + "\""))
       .statusCode(200)
-      .contentType("application/scim+json")
+      .contentType(SCIM_MEDIA_TYPE)
       .body(
         "schemas", contains(SCHEMA_LIST_RESPONSE),
         "totalResults", is(1)

diff --git a/...r/src/main/java/org/apache/directory/scim/server/rest/ScimJacksonXmlBindJsonProvider.java b/...r/src/main/java/org/apache/directory/scim/server/rest/ScimJacksonXmlBindJsonProvider.java
@@ -21,6 +21,7 @@
 
 import com.fasterxml.jackson.jakarta.rs.json.JacksonXmlBindJsonProvider;
 import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.ws.rs.core.MediaType;
 import org.apache.directory.scim.core.json.ObjectMapperFactory;
 import org.apache.directory.scim.core.schema.SchemaRegistry;
 import org.apache.directory.scim.protocol.Constants;
@@ -29,16 +30,27 @@
 import jakarta.ws.rs.Consumes;
 import jakarta.ws.rs.Produces;
 import jakarta.ws.rs.ext.Provider;
+import org.apache.directory.scim.protocol.data.ListResponse;
+import org.apache.directory.scim.spec.resources.ScimResource;
+import org.apache.directory.scim.spec.schema.ServiceProviderConfiguration;
+
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import java.util.Set;
 
 /**
- * Adds JacksonJaxbJsonProvider for custom MediaType {@code application/scim+json}.
+ * Adds JacksonJaxbJsonProvider for custom MediaType {@code application/scim+json} and application/json.
  */
 @Provider
-@Consumes(Constants.SCIM_CONTENT_TYPE)
-@Produces(Constants.SCIM_CONTENT_TYPE)
+@Consumes({Constants.SCIM_CONTENT_TYPE, MediaType.APPLICATION_JSON})
+@Produces({Constants.SCIM_CONTENT_TYPE, MediaType.APPLICATION_JSON})
 @ApplicationScoped
 public class ScimJacksonXmlBindJsonProvider extends JacksonXmlBindJsonProvider {
 
+  private static final Set<Package> SUPPORTED_PACKAGES = Set.of(ScimResource.class.getPackage(),
+                                                                ListResponse.class.getPackage(),
+                                                                ServiceProviderConfiguration.class.getPackage());
+
   public ScimJacksonXmlBindJsonProvider() {
     // CDI
   }
@@ -47,4 +59,16 @@ public ScimJacksonXmlBindJsonProvider() {
   public ScimJacksonXmlBindJsonProvider(SchemaRegistry schemaRegistry) {
     super(ObjectMapperFactory.createObjectMapper(schemaRegistry), DEFAULT_ANNOTATIONS);
   }
+
+  @Override
+  public boolean isReadable(Class<?> type, Type genericType, Annotation[] annotations, MediaType mediaType) {
+    return super.isReadable(type, genericType, annotations, mediaType)
+      && SUPPORTED_PACKAGES.contains(type.getPackage());
+  }
+
+  @Override
+  public boolean isWriteable(Class<?> type, Type genericType, Annotation[] annotations, MediaType mediaType) {
+    return super.isWriteable(type, genericType, annotations, mediaType)
+      && SUPPORTED_PACKAGES.contains(type.getPackage());
+  }
 }