[
https://issues.apache.org/jira/browse/GEODE-9758?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17478140#comment-17478140
]
ASF subversion and git services commented on GEODE-9758:
--------------------------------------------------------
Commit 7978abf34707d11da45cff0b7cb7445f18d21438 in geode's branch
refs/heads/develop from Kirk Lund
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=7978abf ]
GEODE-9758: Add internal serial filter API (#7217)
GEODE-9758: Add internal serial filter API #7217
Expand ObjectInputStreamFilterWrapper to be an internal API which
supports all of Geode's uses of Java's ObjectInputFilter.
Introduce a new system property, geode.enableGlobalSerialFilter, to
enable a process-wide filter with all serializable Geode classes on the
classpath and the value of serializable-object-filter accept-listed.
To enable the process-wide filter with GFSH start commands, add:
* --J=-Dgeode.enableGlobalSerialFilter=true
Functional Capabilities
The internal API lives in geode-serialization and works on OpenJDK
based JREs providing a facade for Java's ObjectInputFilter in Java 8
and Java 9 or greater using reflection. The API provides the following
capabilities:
* creating an ObjectInputFilter
* setting an ObjectInputFilter on an ObjectInputStream
* getting an ObjectInputFilter from a ObjectInputStream
* setting a process-wide ObjectInputFilter
* getting a process-wide ObjectInputFilter
Design Notes
The API defines the following primary interface types:
* factory interfaces for creating instances of types within the API
* filter interfaces to split out single ops from Java's
ObjectInputFilter
* configuration interfaces for handling system properties, logging,
and config validation
The concrete classes in the API receive parameters injected via a
constructor for any collaborators that are not specified by the
interfaces. This is intentional even when the instance is only used
once before de-referencing it. All collaborators that are defined in
the interface are passed in as parameters to the implementing
method; all others are passed in via the constructor and stored as
fields.
> Configure locator serialization filtering by default on Java 8
> --------------------------------------------------------------
>
> Key: GEODE-9758
> URL: https://issues.apache.org/jira/browse/GEODE-9758
> Project: Geode
> Issue Type: Improvement
> Affects Versions: 1.12.7
> Reporter: Jianxia Chen
> Assignee: Jianxia Chen
> Priority: Major
> Labels: pull-request-available
>
> When Geode locator is running on Java 8 JVM, the serialization filter should
> be configured by default to accept only JDK classes and Geode classes.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
