spring-kafkaspring-cloud-streamjson-deserializationspring-cloud-stream-binder-kafkaspring-cloud-stream-binder

Is it a problem if I set spring.json.trusted.packages = '*' while consuming data in Spring Cloud Stream?

I am using Spring Cloud Stream in my project. I haven't started consuming with functional stream yet. I'm still consuming data with @StreamListener. I also consume the data as batch. Since I consume the data as batch, I have to give deserializer.

I have too many input topics and I have to create new deserializer classes.

However, there is one small point I noticed. If I set spring.json.trusted.packages: '*' , I don't need to create a new deserializer class and I can use JsonDeserializer for any data. So I don't need to create a deserializer for each newly created data.

But before I do this, many questions come to my mind. Does consuming data this way have any effect on performance?

Is there any benefit to me if I provide a separate deserializer? Why do we create new deserializer classes for each data? Does spring.json.trusted.packages:'*' setting do us any harm? Can you please help me with this?

application.yml with PersonDeserializer

public class PersonDeserializer extends JsonDeserializer<Person> {
}

spring:
  cloud:
    stream:
      binders:
        bulkKafka:
          type: kafka
          environment:
            spring:
              cloud:
                stream:
                  kafka:
                    binder:
                      brokers: ${kafka.brokers}
                      minPartitionCount: ${default-configuration.kafka.partition-count}
                      autoCreateTopics: true
                      autoAddPartitions: true
                      configuration:
                        max.poll.records: 3000
                        fetch.min.bytes: 900000
                        fetch.max.wait.ms: 500
                        value.deserializer: org.example.PersonDeserializer
      bindings:
        person-topic-in:
          destination: person-topic
          contentType: application/json
          binder: bulkKafka
          group: ${spring.application.name}
          consumer:
            batch-mode: true

application.yml without PersonDeserializer

spring:
  kafka:
    consumer:
      properties:
        spring.json.trusted.packages: "*"
  cloud:
    stream:
      binders:
        bulkKafka:
          type: kafka
          environment:
            spring:
              cloud:
                stream:
                  kafka:
                    binder:
                      brokers: ${kafka.brokers}
                      minPartitionCount: ${default-configuration.kafka.partition-count}
                      autoCreateTopics: true
                      autoAddPartitions: true
                      configuration:
                        max.poll.records: 3000
                        fetch.min.bytes: 900000
                        fetch.max.wait.ms: 500
                        value.deserializer: org.springframework.kafka.support.serializer.JsonDeserializer
      bindings:
        person-topic-in:
          destination: person-topic
          contentType: application/json
          binder: bulkKafka
          group: ${spring.application.name}
          consumer:
            batch-mode: true
Solution

  • If you trust the source of the data, then it is ok; if you are receiving data from untrusted sources, then you should trust only specific packages.