We've been looking at a javaagent and/or a WeavingHook to do the same thing. Prefer the WeavingHook since we could configure it as a service, but half our environments are on an older platform that doesn't that ability yet.
-----Original Message----- From: Bertrand Delacretaz [mailto:[email protected]] Sent: Wednesday, November 11, 2015 2:20 PM To: Bertrand Delacretaz <[email protected]> Cc: dev <[email protected]> Subject: Re: SafeObjectInputStream prototype On Tue, Nov 10, 2015 at 3:09 PM, Bertrand Delacretaz <[email protected]> wrote: > ...I have created a prototype at SLING-5288 to guard against recently > reported Java deserialization risks... In the meantime I also tested https://github.com/kantega/notsoserial which is very interesting as that's a Java agent that can protect existing unmodified code. Requires bootdelegating org.kantega.* to use in an OSGi environment. -Bertrand
