From 9dab8277cea92bd0aa5d880b816dde2c93481e00 Mon Sep 17 00:00:00 2001
From: Rob Bygrave <robin.bygrave@gmail.com>
Date: Tue, 11 Nov 2025 07:43:02 +1300
Subject: [PATCH] #3551 Log warning for use of mapping column to Class

I think it was a mistake for Ebean to support Class<?> from a security perspective. Instead, Ebean should just use a String <-> Varchar and leave if up to the application to take that String and convert it to a class [and then that potential Class initialisation is owned by the application code and all security considerations around that are owned by the application code].
---
 .../java/io/ebeaninternal/server/type/DefaultTypeManager.java  | 3 +++
 .../java/io/ebeaninternal/server/type/ScalarTypeClass.java     | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/ebean-core/src/main/java/io/ebeaninternal/server/type/DefaultTypeManager.java b/ebean-core/src/main/java/io/ebeaninternal/server/type/DefaultTypeManager.java
index 25eb11ca2e..225029e7a6 100644
--- a/ebean-core/src/main/java/io/ebeaninternal/server/type/DefaultTypeManager.java
+++ b/ebean-core/src/main/java/io/ebeaninternal/server/type/DefaultTypeManager.java
@@ -216,6 +216,9 @@ public ScalarType<?> type(Class<?> type) {
       }
       found = checkInheritedTypes(type);
     }
+    if (found instanceof ScalarTypeClass) {
+      log.log(WARNING, "@Column mapping for type Class is deprecated. Please refer to https://ebean.io/docs/deprecated#class-mapping");
+    }
     return found != ScalarTypeNotFound.INSTANCE ? found : null; // Do not return ScalarTypeNotFound, otherwise checks will fail
   }
 
diff --git a/ebean-core/src/main/java/io/ebeaninternal/server/type/ScalarTypeClass.java b/ebean-core/src/main/java/io/ebeaninternal/server/type/ScalarTypeClass.java
index 2e636fd4a3..da6689284d 100644
--- a/ebean-core/src/main/java/io/ebeaninternal/server/type/ScalarTypeClass.java
+++ b/ebean-core/src/main/java/io/ebeaninternal/server/type/ScalarTypeClass.java
@@ -10,7 +10,7 @@
 @SuppressWarnings({"rawtypes"})
 final class ScalarTypeClass extends ScalarTypeBaseVarchar<Class> {
 
-  public ScalarTypeClass() {
+  ScalarTypeClass() {
     super(Class.class);
   }