JinwooHwang commented on code in PR #7966:
URL: https://github.com/apache/geode/pull/7966#discussion_r2604844616
##########
extensions/geode-modules-session-internal/src/main/java/org/apache/geode/modules/session/internal/filter/GemfireHttpSession.java:
##########
@@ -144,8 +145,15 @@ public Object getAttribute(String name) {
oos.writeObject(obj);
oos.close();
+ // Create filter from user configuration for secure deserialization
+ String filterPattern = getServletContext()
+ .getInitParameter("serializable-object-filter");
+ ObjectInputFilter filter = filterPattern != null
+ ? ObjectInputFilter.Config.createFilter(filterPattern)
Review Comment:
I appreciate your excellent point, @sboorlagadda. I've implemented filter
caching using the double-checked locking pattern with volatile fields. The
changes include:
- Added `private volatile ObjectInputFilter cachedFilter` to cache the
filter instance
- Added `private volatile boolean filterLogged` to ensure one-time logging
- Implemented `getOrCreateFilter()` method that creates and caches the
filter on first use
- The double-checked locking ensures thread-safety without synchronization
overhead on subsequent calls
This eliminates both the performance overhead of recreating the filter on
every deserialization and prevents race conditions in multi-threaded servlet
environments.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
