[jira] [Commented] (GEODE-3923) Provide whitelist/blacklist capability for java serialization

Thu, 14 Dec 2017 15:31:18 -0800 

    [ 
https://issues.apache.org/jira/browse/GEODE-3923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16291790#comment-16291790
 ] 

ASF GitHub Bot commented on GEODE-3923:
---------------------------------------

bschuchardt commented on a change in pull request #1166: GEODE-3923 Document 
the 2 new properties serializable-object-filter
URL: https://github.com/apache/geode/pull/1166#discussion_r157090381
 
 

 ##########
 File path: geode-docs/reference/topics/gemfire_properties.html.md.erb
 ##########
 @@ -753,6 +760,12 @@ See <a 
href="../../developing/distributed_regions/how_region_versioning_works.ht
 <td>S</td>
 <td><em>not set</em></td>
 </tr>
+<tr class="even">
+<td>validate-serializable-objects</td>
+<td>A boolean that defaults to false. When true, all internal 
<%=vars.product_name%> classes and the objects defined by the property 
serializable-object-filter will be serialized. An 
<code>IncompatibleClassException</code> is thrown for objects not listed. JDK 8 
build 121 or a later build must be installed to use this property. Servers and 
clients that do not meet this requirement will throw an exception upon 
startup.</td>
 
 Review comment:
   I think this should say "instances of classes that are not internal to 
<%=vars.product_name%> and whose class name is not allowed by the 
serializable-object-filter will not be permitted to be deserialized."
   
   The property controls what is allowed to be deserialized, not what is 
allowed to be serialized.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


> Provide whitelist/blacklist capability for java serialization
> -------------------------------------------------------------
>
>                 Key: GEODE-3923
>                 URL: https://issues.apache.org/jira/browse/GEODE-3923
>             Project: Geode
>          Issue Type: New Feature
>          Components: docs
>            Reporter: Bruce Schuchardt
>            Assignee: Karen Smoler Miller
>             Fix For: 1.4.0
>
>
> I would like to be able to restrict what classes of objects Geode will allow 
> to be deserialized via Java's ObjectInputStream in clients and servers.  
> Something similar to the mechanism recently added to the JRE 
> (http://openjdk.java.net/jeps/290) would be pretty cool.  Geode would have to 
> whitelist its own stuff, of course, so I don't have to deal with it.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to