diff --git a/src/main/java/org/opensearch/security/DefaultObjectMapper.java b/src/main/java/org/opensearch/security/DefaultObjectMapper.java
index 27aae2b5e4..69e1d0ac83 100644
--- a/src/main/java/org/opensearch/security/DefaultObjectMapper.java
+++ b/src/main/java/org/opensearch/security/DefaultObjectMapper.java
@@ -61,6 +61,8 @@ public class DefaultObjectMapper {
         // if jackson cant parse the entity, e.g. passwords, hashes and so on,
         // but provides which property is unknown
         objectMapper.disable(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION);
+        defaulOmittingObjectMapper.disable(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION);
+        YAML_MAPPER.disable(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION);
         // objectMapper.enable(DeserializationFeature.FAIL_ON_TRAILING_TOKENS);
         objectMapper.enable(JsonParser.Feature.STRICT_DUPLICATE_DETECTION);
         defaulOmittingObjectMapper.setSerializationInclusion(Include.NON_DEFAULT);
diff --git a/src/main/java/org/opensearch/security/NonValidatingObjectMapper.java b/src/main/java/org/opensearch/security/NonValidatingObjectMapper.java
index dcc0973830..e0b34b3da1 100644
--- a/src/main/java/org/opensearch/security/NonValidatingObjectMapper.java
+++ b/src/main/java/org/opensearch/security/NonValidatingObjectMapper.java
@@ -45,6 +45,7 @@ public class NonValidatingObjectMapper {
     private static final ObjectMapper nonValidatingObjectMapper = new ObjectMapper();
 
     static {
+        nonValidatingObjectMapper.disable(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION);
         nonValidatingObjectMapper.setSerializationInclusion(Include.NON_NULL);
         nonValidatingObjectMapper.configure(JsonParser.Feature.STRICT_DUPLICATE_DETECTION, false);
         nonValidatingObjectMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
@@ -65,12 +66,7 @@ public static <T> T readValue(String string, JavaType jt) throws IOException {
         }
 
         try {
-            return AccessController.doPrivileged(new PrivilegedExceptionAction<T>() {
-                @Override
-                public T run() throws Exception {
-                    return nonValidatingObjectMapper.readValue(string, jt);
-                }
-            });
+            return AccessController.doPrivileged((PrivilegedExceptionAction<T>) () -> nonValidatingObjectMapper.readValue(string, jt));
         } catch (final PrivilegedActionException e) {
             throw (IOException) e.getCause();
         }