[jira] [Commented] (HTTPCORE-615) Implement more robust cache serializer with an HTTP-like storage format (replacing existing one based on Java Object Serialization)

[Scott W Gifford (Jira)]

    [ 
https://issues.apache.org/jira/browse/HTTPCORE-615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17005649#comment-17005649
 ] 

Scott W Gifford commented on HTTPCORE-615:
------------------------------------------

Also: IMO it's worth considering a strategy for moving away from Java object 
serialization, including making this new serializer the default.  I suspect 
sites will start turning java object serialization off when it's available to 
turn off because of the security implications, and it will prevent bugs caused 
by its brittleness (like -HTTPCORE-578-).

I know this is new code and not ready to be the default yet, but also a Beta is 
a good time for a somewhat disruptive change like this.

We'll start using the 4.5.x version of this in a production site in early 2020 
and I'll report back what we find.

-----Scott.

 

> Implement more robust cache serializer with an HTTP-like storage format 
> (replacing existing one based on Java Object Serialization)
> -----------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HTTPCORE-615
>                 URL: https://issues.apache.org/jira/browse/HTTPCORE-615
>             Project: HttpComponents HttpCore
>          Issue Type: New Feature
>            Reporter: Scott W Gifford
>            Priority: Major
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> HTTPCORE-578 was caused by the brittleness of using Java Object Serialization 
> to store cache objects.  Java Object Serialization requires careful 
> understanding of what sorts of changes require a new serialization version, 
> with small mistakes leading to surprising results; further Java Object 
> Serialization has security issues, and will be an optional feature in 
> upcoming Java releases (with Jigsaw).  It would be better to have a more 
> stable serialization approach.
> Since the Apache client already knows how to communicate with HTTP, one 
> simple approach would be to serialize as if we were writing to an HTTP 
> client, and deserialize as if we were reading from an HTTP server.
> I have developed a serializer that does that, and would like to contribute it 
> back to the Apache project.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org