Prevent Kotlin Serialization converters side effects

This commit updates Kotlin serialization converters to perform
an additional check invoking
KotlinDetector#hasSerializableAnnotation to decide if the
related type should be processed or not.

The goal is to prevent in the default arrangement conflicts
between general purpose converters like Jackson and
Kotlin serialization when both are used.

New constructors allowing to specify a custom predicate
are also introduced.

See gh-35761

Author: sdeleuze

spring-web/src/main/java/org/springframework/http/converter/AbstractKotlinSerializationHttpMessageConverter.java

@@ -20,13 +20,15 @@
 import java.lang.reflect.Type;
 import java.util.List;
 import java.util.Map;
+import java.util.function.Predicate;
 
 import kotlin.reflect.KType;
 import kotlinx.serialization.KSerializer;
 import kotlinx.serialization.SerialFormat;
 import kotlinx.serialization.SerializersKt;
 import org.jspecify.annotations.Nullable;
 
+import org.springframework.core.KotlinDetector;
 import org.springframework.core.ResolvableType;
 import org.springframework.http.HttpInputMessage;
 import org.springframework.http.HttpOutputMessage;
@@ -38,9 +40,11 @@
  * Abstract base class for {@link HttpMessageConverter} implementations that
  * use Kotlin serialization.
  *
- * <p>As of Spring Framework 7.0,
- * <a href="https://github.com/Kotlin/kotlinx.serialization/blob/master/docs/polymorphism.md#open-polymorphism">open polymorphism</a>
- * is supported.
+ * <p>As of Spring Framework 7.0, by default it only encodes types annotated with
+ * {@link kotlinx.serialization.Serializable @Serializable} at type or generics level
+ * since it allows combined usage with other general purpose converters without conflicts.
+ * Alternative constructors with a {@code Predicate<ResolvableType>} parameter can be used
+ * to customize this behavior.
  *
  * @author Andreas Ahlenstorf
  * @author Sebastien Deleuze
@@ -58,15 +62,30 @@ public abstract class AbstractKotlinSerializationHttpMessageConverter<T extends
 
 	private final T format;
 
+	private final Predicate<ResolvableType> typePredicate;
+
 
 	/**
-	 * Construct an {@code AbstractKotlinSerializationHttpMessageConverter} with multiple supported media type and
-	 * format.
-	 * @param format the format
-	 * @param supportedMediaTypes the supported media types
+	 * Creates a new instance with the given format and supported mime types
+	 * which only converters types annotated with
+	 * {@link kotlinx.serialization.Serializable @Serializable} at type or
+	 * generics level.
 	 */
 	protected AbstractKotlinSerializationHttpMessageConverter(T format, MediaType... supportedMediaTypes) {
 		super(supportedMediaTypes);
+		this.typePredicate = KotlinDetector::hasSerializableAnnotation;
+		this.format = format;
+	}
+
+	/**
+	 * Creates a new instance with the given format and supported mime types
+	 * which only converts types for which the specified predicate returns
+	 * {@code true}.
+	 * @since 7.0
+	 */
+	protected AbstractKotlinSerializationHttpMessageConverter(T format, Predicate<ResolvableType> typePredicate, MediaType... supportedMediaTypes) {
+		super(supportedMediaTypes);
+		this.typePredicate = typePredicate;
 		this.format = format;
 	}
 
@@ -77,27 +96,27 @@ public List<MediaType> getSupportedMediaTypes(Class<?> clazz) {
 
 	@Override
 	protected boolean supports(Class<?> clazz) {
-		return serializer(ResolvableType.forClass(clazz), null) != null;
+		ResolvableType type = ResolvableType.forClass(clazz);
+		if (!this.typePredicate.test(type)) {
+			return false;
+		}
+		return serializer(type, null) != null;
 	}
 
 	@Override
 	public boolean canRead(ResolvableType type, @Nullable MediaType mediaType) {
-		if (!ResolvableType.NONE.equals(type) && serializer(type, null) != null) {
-			return canRead(mediaType);
-		}
-		else {
+		if (!this.typePredicate.test(type) || ResolvableType.NONE.equals(type)) {
 			return false;
 		}
+		return serializer(type, null) != null && canRead(mediaType);
 	}
 
 	@Override
 	public boolean canWrite(ResolvableType type, Class<?> clazz, @Nullable MediaType mediaType) {
-		if (!ResolvableType.NONE.equals(type) && serializer(type, null) != null) {
-			return canWrite(mediaType);
-		}
-		else {
+		if (!this.typePredicate.test(type) || ResolvableType.NONE.equals(type)) {
 			return false;
 		}
+		return serializer(type, null) != null && canWrite(mediaType);
 	}
 
 	@Override

spring-web/src/main/java/org/springframework/http/converter/KotlinSerializationBinaryHttpMessageConverter.java

@@ -17,11 +17,13 @@
 package org.springframework.http.converter;
 
 import java.io.IOException;
+import java.util.function.Predicate;
 
 import kotlinx.serialization.BinaryFormat;
 import kotlinx.serialization.KSerializer;
 import kotlinx.serialization.SerializationException;
 
+import org.springframework.core.ResolvableType;
 import org.springframework.http.HttpInputMessage;
 import org.springframework.http.HttpOutputMessage;
 import org.springframework.http.MediaType;
@@ -31,9 +33,11 @@
  * Abstract base class for {@link HttpMessageConverter} implementations that
  * defer to Kotlin {@linkplain BinaryFormat binary serializers}.
  *
- * <p>As of Spring Framework 7.0,
- * <a href="https://github.com/Kotlin/kotlinx.serialization/blob/master/docs/polymorphism.md#open-polymorphism">open polymorphism</a>
- * is supported.
+ * <p>As of Spring Framework 7.0, by default it only encodes types annotated with
+ * {@link kotlinx.serialization.Serializable @Serializable} at type or generics level
+ * since it allows combined usage with other general purpose converters without conflicts.
+ * Alternative constructors with a {@code Predicate<ResolvableType>} parameter can be used
+ * to customize this behavior.
  *
  * @author Andreas Ahlenstorf
  * @author Sebastien Deleuze
@@ -47,12 +51,25 @@ public abstract class KotlinSerializationBinaryHttpMessageConverter<T extends Bi
 		extends AbstractKotlinSerializationHttpMessageConverter<T> {
 
 	/**
-	 * Construct an {@code KotlinSerializationBinaryHttpMessageConverter} with format and supported media types.
+	 * Creates a new instance with the given format and supported mime types
+	 * which only converters types annotated with
+	 * {@link kotlinx.serialization.Serializable @Serializable} at type or
+	 * generics level.
 	 */
 	protected KotlinSerializationBinaryHttpMessageConverter(T format, MediaType... supportedMediaTypes) {
 		super(format, supportedMediaTypes);
 	}
 
+	/**
+	 * Creates a new instance with the given format and supported mime types
+	 * which only converts types for which the specified predicate returns
+	 * {@code true}.
+	 * @since 7.0
+	 */
+	protected KotlinSerializationBinaryHttpMessageConverter(T format, Predicate<ResolvableType> typePredicate, MediaType... supportedMediaTypes) {
+		super(format, typePredicate, supportedMediaTypes);
+	}
+
 	@Override
 	protected Object readInternal(KSerializer<Object> serializer, T format, HttpInputMessage inputMessage)
 			throws IOException, HttpMessageNotReadableException {

spring-web/src/main/java/org/springframework/http/converter/KotlinSerializationStringHttpMessageConverter.java

@@ -19,12 +19,14 @@
 import java.io.IOException;
 import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
+import java.util.function.Predicate;
 
 import kotlinx.serialization.KSerializer;
 import kotlinx.serialization.SerializationException;
 import kotlinx.serialization.StringFormat;
 import org.jspecify.annotations.Nullable;
 
+import org.springframework.core.ResolvableType;
 import org.springframework.http.HttpInputMessage;
 import org.springframework.http.HttpOutputMessage;
 import org.springframework.http.MediaType;
@@ -34,9 +36,11 @@
  * Abstract base class for {@link HttpMessageConverter} implementations that
  * defer to Kotlin {@linkplain StringFormat string serializers}.
  *
- * <p>As of Spring Framework 7.0,
- * <a href="https://github.com/Kotlin/kotlinx.serialization/blob/master/docs/polymorphism.md#open-polymorphism">open polymorphism</a>
- * is supported.
+ * <p>As of Spring Framework 7.0, by default it only encodes types annotated with
+ * {@link kotlinx.serialization.Serializable @Serializable} at type or generics level
+ * since it allows combined usage with other general purpose converters without conflicts.
+ * Alternative constructors with a {@code Predicate<ResolvableType>} parameter can be used
+ * to customize this behavior.
  *
  * @author Andreas Ahlenstorf
  * @author Sebastien Deleuze
@@ -51,12 +55,25 @@ public abstract class KotlinSerializationStringHttpMessageConverter<T extends St
 
 
 	/**
-	 * Construct an {@code KotlinSerializationStringHttpMessageConverter} with format and supported media types.
+	 * Creates a new instance with the given format and supported mime types
+	 * which only converters types annotated with
+	 * {@link kotlinx.serialization.Serializable @Serializable} at type or
+	 * generics level.
 	 */
 	protected KotlinSerializationStringHttpMessageConverter(T format, MediaType... supportedMediaTypes) {
 		super(format, supportedMediaTypes);
 	}
 
+	/**
+	 * Creates a new instance with the given format and supported mime types
+	 * which only converts types for which the specified predicate returns
+	 * {@code true}.
+	 * @since 7.0
+	 */
+	protected KotlinSerializationStringHttpMessageConverter(T format, Predicate<ResolvableType> typePredicate, MediaType... supportedMediaTypes) {
+		super(format, typePredicate, supportedMediaTypes);
+	}
+
 
 	@Override
 	protected Object readInternal(KSerializer<Object> serializer, T format, HttpInputMessage inputMessage)

spring-web/src/main/java/org/springframework/http/converter/cbor/KotlinSerializationCborHttpMessageConverter.java

@@ -16,8 +16,11 @@
 
 package org.springframework.http.converter.cbor;
 
+import java.util.function.Predicate;
+
 import kotlinx.serialization.cbor.Cbor;
 
+import org.springframework.core.ResolvableType;
 import org.springframework.http.MediaType;
 import org.springframework.http.converter.KotlinSerializationBinaryHttpMessageConverter;
 
@@ -27,20 +30,56 @@
  * <a href="https://github.com/Kotlin/kotlinx.serialization">kotlinx.serialization</a>.
  * It supports {@code application/cbor}.
  *
- * <p>As of Spring Framework 7.0,
- * <a href="https://github.com/Kotlin/kotlinx.serialization/blob/master/docs/polymorphism.md#open-polymorphism">open polymorphism</a>
- * is supported.
+ * <p>As of Spring Framework 7.0, by default it only  types annotated with
+ * {@link kotlinx.serialization.Serializable @Serializable} at type or generics
+ * level since it allows combined usage with other general purpose JSON decoders
+ * like {@link JacksonCborHttpMessageConverter} without conflicts.
+ *
+ * <p>Alternative constructors with a {@code Predicate<ResolvableType>}
+ * parameter can be used to customize this behavior. For example,
+ * {@code new KotlinSerializationCborHttpMessageConverter(type -> true)} will decode all types
+ * supported by Kotlin Serialization, including unannotated Kotlin enumerations,
+ * numbers, characters, booleans and strings.
  *
  * @author Iain Henderson
+ * @author Sebastien Deleuze
  * @since 6.0
  */
 public class KotlinSerializationCborHttpMessageConverter extends KotlinSerializationBinaryHttpMessageConverter<Cbor> {
+
+	/**
+	 * Construct a new converter using {@link Cbor.Default} instance which
+	 * only converts types annotated with {@link kotlinx.serialization.Serializable @Serializable}
+	 * at type or generics level.
+	 */
 	public KotlinSerializationCborHttpMessageConverter() {
 		this(Cbor.Default);
 	}
 
+	/**
+	 * Construct a new converter using {@link Cbor.Default} instance which
+	 * only converts types for which the specified predicate returns {@code true}.
+	 * @since 7.0
+	 */
+	public KotlinSerializationCborHttpMessageConverter(Predicate<ResolvableType> typePredicate) {
+		this(Cbor.Default, typePredicate);
+	}
+
+	/**
+	 * Construct a new converter using the provided {@link Cbor} instance which
+	 * only converts types annotated with {@link kotlinx.serialization.Serializable @Serializable}
+	 * at type or generics level.
+	 */
 	public KotlinSerializationCborHttpMessageConverter(Cbor cbor) {
 		super(cbor, MediaType.APPLICATION_CBOR);
 	}
 
+	/**
+	 * Construct a new converter using the provided {@link Cbor} instance which
+	 * only converts types for which the specified predicate returns {@code true}.
+	 * @since 7.0
+	 */
+	public KotlinSerializationCborHttpMessageConverter(Cbor cbor, Predicate<ResolvableType> typePredicate) {
+		super(cbor, typePredicate, MediaType.APPLICATION_CBOR);
+	}
 }

spring-web/src/main/java/org/springframework/http/converter/json/KotlinSerializationJsonHttpMessageConverter.java

@@ -16,8 +16,11 @@
 
 package org.springframework.http.converter.json;
 
+import java.util.function.Predicate;
+
 import kotlinx.serialization.json.Json;
 
+import org.springframework.core.ResolvableType;
 import org.springframework.http.MediaType;
 import org.springframework.http.converter.KotlinSerializationStringHttpMessageConverter;
 
@@ -28,9 +31,16 @@
  * It supports {@code application/json} and {@code application/*+json} with
  * various character sets, {@code UTF-8} being the default.
  *
- * <p>As of Spring Framework 7.0,
- * <a href="https://github.com/Kotlin/kotlinx.serialization/blob/master/docs/polymorphism.md#open-polymorphism">open polymorphism</a>
- * is supported.
+ * <p>As of Spring Framework 7.0, by default it only  types annotated with
+ * {@link kotlinx.serialization.Serializable @Serializable} at type or generics
+ * level since it allows combined usage with other general purpose JSON decoders
+ * like {@link JacksonJsonHttpMessageConverter} without conflicts.
+ *
+ * <p>Alternative constructors with a {@code Predicate<ResolvableType>}
+ * parameter can be used to customize this behavior. For example,
+ * {@code new KotlinSerializationJsonHttpMessageConverter(type -> true)} will decode all types
+ * supported by Kotlin Serialization, including unannotated Kotlin enumerations,
+ * numbers, characters, booleans and strings.
  *
  * @author Andreas Ahlenstorf
  * @author Sebastien Deleuze
@@ -40,17 +50,42 @@
  */
 public class KotlinSerializationJsonHttpMessageConverter extends KotlinSerializationStringHttpMessageConverter<Json> {
 
+	private static final MediaType[] DEFAULT_JSON_MIME_TYPES = new MediaType[] {
+			MediaType.APPLICATION_JSON, new MediaType("application", "*+json") };
+
 	/**
-	 * Construct a new {@code KotlinSerializationJsonHttpMessageConverter} with the default configuration.
+	 * Construct a new converter using {@link Json.Default} instance which
+	 * only converts types annotated with {@link kotlinx.serialization.Serializable @Serializable}
+	 * at type or generics level.
 	 */
 	public KotlinSerializationJsonHttpMessageConverter() {
 		this(Json.Default);
 	}
 
 	/**
-	 * Construct a new {@code KotlinSerializationJsonHttpMessageConverter} with a custom configuration.
+	 * Construct a new converter using {@link Json.Default} instance which
+	 * only converts types for which the specified predicate returns {@code true}.
+	 * @since 7.0
+	 */
+	public KotlinSerializationJsonHttpMessageConverter(Predicate<ResolvableType> typePredicate) {
+		this(Json.Default, typePredicate);
+	}
+
+	/**
+	 * Construct a new converter using the provided {@link Json} instance which
+	 * only converts types annotated with {@link kotlinx.serialization.Serializable @Serializable}
+	 * at type or generics level.
 	 */
 	public KotlinSerializationJsonHttpMessageConverter(Json json) {
-		super(json, MediaType.APPLICATION_JSON, new MediaType("application", "*+json"));
+		super(json, DEFAULT_JSON_MIME_TYPES);
+	}
+
+	/**
+	 * Construct a new converter using the provided {@link Json} instance which
+	 * only converts types for which the specified predicate returns {@code true}.
+	 * @since 7.0
+	 */
+	public KotlinSerializationJsonHttpMessageConverter(Json json, Predicate<ResolvableType> typePredicate) {
+		super(json, typePredicate, DEFAULT_JSON_MIME_TYPES);
 	}
 }