[
https://issues.apache.org/jira/browse/GEODE-3923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16292940#comment-16292940
]
ASF GitHub Bot commented on GEODE-3923:
---------------------------------------
karensmolermiller closed pull request #1166: GEODE-3923 Document the 2 new
properties serializable-object-filter
URL: https://github.com/apache/geode/pull/1166
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/geode-docs/reference/topics/gemfire_properties.html.md.erb
b/geode-docs/reference/topics/gemfire_properties.html.md.erb
index a80ba023a1..3d99fbbdd2 100644
--- a/geode-docs/reference/topics/gemfire_properties.html.md.erb
+++ b/geode-docs/reference/topics/gemfire_properties.html.md.erb
@@ -572,6 +572,13 @@ Any security-related (properties that begin with <code
class="ph codeph">securit
<td><em>not set</em></td>
</tr>
<tr class="even">
+<td>serializable-object-filter</td>
+<td>A semicolon-separated list of items that become full class names of
objects that the system will serialize when the property
validate-serializable-objects is set to true. The list is expanded using the
patterns specified in the <code>createFilter</code> method at
+<a
href="https://docs.oracle.com/javase/9/docs/api/java/io/ObjectInputFilter.Config.html";>https://docs.oracle.com/javase/9/docs/api/java/io/ObjectInputFilter.Config.html</a>.</td>
+<td>S, C</td>
+<td>"!*"</td>
+</tr>
+<tr class="even">
<td>server-bind-address</td>
<td>Relevant only for multi-homed hosts - machines with multiple network
interface cards. Network adapter card a <%=vars.product_name%> server binds to
for client/server communication. You can use this to separate the server’s
client/server communication from its peer-to-peer communication, spreading the
traffic load.
<p>This is a machine-wide attribute used for communication with clients in
client/server and multi-site installations. This setting has no effect on
locator configuration.</p>
@@ -753,6 +760,12 @@ See <a
href="../../developing/distributed_regions/how_region_versioning_works.ht
<td>S</td>
<td><em>not set</em></td>
</tr>
+<tr class="even">
+<td>validate-serializable-objects</td>
+<td>A boolean that defaults to false. When true, instances of classes that are
not internal to <%=vars.product_name%> and whose class name is not allowed by
the list defined in the serializable-object-filter property will not be
permitted to be deserialized. An <code>IncompatibleClassException</code> is
thrown for objects not listed. JDK 8 build 121 or a later build must be
installed to use this property. Servers and clients that do not meet this
requirement will throw an exception upon startup.</td>
+<td>S, C</td>
+<td>false</td>
+</tr>
</tbody>
</table>
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Provide whitelist/blacklist capability for java serialization
> -------------------------------------------------------------
>
> Key: GEODE-3923
> URL: https://issues.apache.org/jira/browse/GEODE-3923
> Project: Geode
> Issue Type: New Feature
> Components: docs
> Reporter: Bruce Schuchardt
> Assignee: Karen Smoler Miller
> Fix For: 1.4.0
>
>
> I would like to be able to restrict what classes of objects Geode will allow
> to be deserialized via Java's ObjectInputStream in clients and servers.
> Something similar to the mechanism recently added to the JRE
> (http://openjdk.java.net/jeps/290) would be pretty cool. Geode would have to
> whitelist its own stuff, of course, so I don't have to deal with it.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
