Re: [PR] [GEODE-10535] Secure Session Deserialization with Application-Level Security Model using ObjectInputFilter (JEP 290) [geode]

Tue, 09 Dec 2025 16:23:02 -0800 


sboorlagadda commented on code in PR #7966:
URL: https://github.com/apache/geode/pull/7966#discussion_r2604729450


##########
extensions/geode-modules-session-internal/src/main/java/org/apache/geode/modules/session/internal/filter/GemfireHttpSession.java:
##########
@@ -144,8 +145,15 @@ public Object getAttribute(String name) {
           oos.writeObject(obj);
           oos.close();
 
+          // Create filter from user configuration for secure deserialization
+          String filterPattern = getServletContext()
+              .getInitParameter("serializable-object-filter");
+          ObjectInputFilter filter = filterPattern != null
+              ? ObjectInputFilter.Config.createFilter(filterPattern)

Review Comment:
   Are we concerned with any duplicate object creations? Should we guard them 
against races?



##########
extensions/geode-modules/src/main/java/org/apache/geode/modules/util/ClassLoaderObjectInputStream.java:
##########
@@ -16,16 +16,41 @@
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.ObjectInputFilter;
 import java.io.ObjectInputStream;
 import java.io.ObjectStreamClass;
 
 /**
  * This class is used when session attributes need to be reconstructed with a 
new classloader.
+ * It now supports ObjectInputFilter for secure deserialization.
  */
 public class ClassLoaderObjectInputStream extends ObjectInputStream {
 
   private final ClassLoader loader;
 
+  /**
+   * Constructs a ClassLoaderObjectInputStream with an ObjectInputFilter for 
secure deserialization.
+   *
+   * @param in the input stream to read from
+   * @param loader the ClassLoader to use for class resolution
+   * @param filter the ObjectInputFilter to validate deserialized classes 
(required for security)
+   * @throws IOException if an I/O error occurs
+   */
+  public ClassLoaderObjectInputStream(InputStream in, ClassLoader loader, 
ObjectInputFilter filter)
+      throws IOException {
+    super(in);
+    this.loader = loader;
+    setObjectInputFilter(filter);

Review Comment:
   Should we add a null check?
   ```
    if (filter != null) {
       setObjectInputFilter(filter);
   }
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to