2

I am using Spring Cloud Stream in my project. I haven't started consuming with functional stream yet. I'm still consuming data with @StreamListener. I also consume the data as batch. Since I consume the data as batch, I have to give deserializer.

I have too many input topics and I have to create new deserializer classes.

However, there is one small point I noticed. If I set spring.json.trusted.packages: '*' , I don't need to create a new deserializer class and I can use JsonDeserializer for any data. So I don't need to create a deserializer for each newly created data.

But before I do this, many questions come to my mind. Does consuming data this way have any effect on performance?

Is there any benefit to me if I provide a separate deserializer? Why do we create new deserializer classes for each data? Does spring.json.trusted.packages:'*' setting do us any harm? Can you please help me with this?

application.yml with PersonDeserializer

public class PersonDeserializer extends JsonDeserializer<Person> {
}

spring:
  cloud:
    stream:
      binders:
        bulkKafka:
          type: kafka
          environment:
            spring:
              cloud:
                stream:
                  kafka:
                    binder:
                      brokers: ${kafka.brokers}
                      minPartitionCount: ${default-configuration.kafka.partition-count}
                      autoCreateTopics: true
                      autoAddPartitions: true
                      configuration:
                        max.poll.records: 3000
                        fetch.min.bytes: 900000
                        fetch.max.wait.ms: 500
                        value.deserializer: org.example.PersonDeserializer
      bindings:
        person-topic-in:
          destination: person-topic
          contentType: application/json
          binder: bulkKafka
          group: ${spring.application.name}
          consumer:
            batch-mode: true

application.yml without PersonDeserializer

spring:
  kafka:
    consumer:
      properties:
        spring.json.trusted.packages: "*"
  cloud:
    stream:
      binders:
        bulkKafka:
          type: kafka
          environment:
            spring:
              cloud:
                stream:
                  kafka:
                    binder:
                      brokers: ${kafka.brokers}
                      minPartitionCount: ${default-configuration.kafka.partition-count}
                      autoCreateTopics: true
                      autoAddPartitions: true
                      configuration:
                        max.poll.records: 3000
                        fetch.min.bytes: 900000
                        fetch.max.wait.ms: 500
                        value.deserializer: org.springframework.kafka.support.serializer.JsonDeserializer
      bindings:
        person-topic-in:
          destination: person-topic
          contentType: application/json
          binder: bulkKafka
          group: ${spring.application.name}
          consumer:
            batch-mode: true
omerstack
  • 535
  • 9
  • 23
  • This question is really not related to spring-cloud-stream, rather Kafka and ser/deser of classes by it. You can find really comprehensive discussion and answer here - https://stackoverflow.com/questions/51688924/spring-kafka-the-class-is-not-in-the-trusted-packages. Also, by not moving to functional style you are risking to fall out of support very soon The last version that supports annotation-based programming model is 3.2.x, which will soon be EOL. It has already been removed from main branch, so consider migrating quick. – Oleg Zhurakousky Oct 10 '22 at 06:41
  • Ok. Thank you so much. I also tagged spring-kafka because I realized this later. I looked at the link you sent, but I couldn't find an answer to my question. Is there any harm if I spring.json.trusted.packages: "*"? Or would it be better to make a custom deserializer myself, I want to know.Why do we make custom deserializers? Could you help me? Is it possible for you to explain? @OlegZhurakousky – omerstack Oct 10 '22 at 06:51

1 Answers1

1

If you trust the source of the data, then it is ok; if you are receiving data from untrusted sources, then you should trust only specific packages.

Gary Russell
  • 166,535
  • 14
  • 146
  • 179
  • Thank you very much for your answer, @Gary Russell. I don't know what untrusted source means. So I don't understand how untrusted source causes a problem. Can you help me understand? – omerstack Oct 10 '22 at 20:13
  • 1
    If external third parties can somehow publish records to your topic then you should not trust them. If your environment is secure, and you trust every application that can write to your topic, then you don't need to worry. – Gary Russell Oct 11 '22 at 12:44