[geode] branch develop updated: GEODE-4672 Geode fails to start with JDK 9 if validate-serializable-objects is set

2018-03-02 Thread bschuchardt 
This is an automated email from the ASF dual-hosted git repository.

bschuchardt pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/geode.git


The following commit(s) were added to refs/heads/develop by this push:
 new a636cb0  GEODE-4672 Geode fails to start with JDK 9 if 
validate-serializable-objects is set
a636cb0 is described below

commit a636cb0c23c82cfb85e9f410e009ef63ef1fa360
Author: Bruce Schuchardt 
AuthorDate: Fri Mar 2 16:13:51 2018 -0800

GEODE-4672 Geode fails to start with JDK 9 if validate-serializable-objects 
is set

fixing a merge problem
---
 .../java/org/apache/geode/internal/ObjectInputStreamFilterWrapper.java   | 1 -
 1 file changed, 1 deletion(-)

diff --git 
a/geode-core/src/main/java/org/apache/geode/internal/ObjectInputStreamFilterWrapper.java
 
b/geode-core/src/main/java/org/apache/geode/internal/ObjectInputStreamFilterWrapper.java
index 68b550c..1e6a643 100644
--- 
a/geode-core/src/main/java/org/apache/geode/internal/ObjectInputStreamFilterWrapper.java
+++ 
b/geode-core/src/main/java/org/apache/geode/internal/ObjectInputStreamFilterWrapper.java
@@ -215,7 +215,6 @@ public class ObjectInputStreamFilterWrapper implements 
InputStreamFilter {
   }
   String className = serialClass.getName();
   if (serialClass.isArray()) {
-serialClass = serialClass.getComponentType();
 className = serialClass.getComponentType().getName();
   }
   if (sanctionedClasses.contains(className)) {

-- 
To stop receiving notification emails like this one, please contact
bschucha...@apache.org.

[geode] branch develop updated: GEODE-4672 Geode fails to start with JDK 9 if validate-serializable-objects is set

2018-03-02 Thread bschuchardt 
This is an automated email from the ASF dual-hosted git repository.

bschuchardt pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/geode.git


The following commit(s) were added to refs/heads/develop by this push:
 new 94ded7f  GEODE-4672 Geode fails to start with JDK 9 if 
validate-serializable-objects is set
94ded7f is described below

commit 94ded7f3561a9ec4848843e3841d593fcd4d77d9
Author: Bruce Schuchardt 
AuthorDate: Fri Mar 2 11:21:39 2018 -0800

GEODE-4672 Geode fails to start with JDK 9 if validate-serializable-objects 
is set

The ObjectInputFilter wrapper now uses reflection and a dynamic
proxy to interact with the serialization filter classes. A dynamic
proxy is needed since we have to implement a method specified in
a class whose package has changed in the JDK. The logic of the filter
has not been changed.

I also replaced a couple of recently added white-list wildcards with 
specific
classes and added a javadoc for the whitelist in InternalDataSerializer.
I opened a new JIRA ticket concerning another wildcard that was recently
added for the JDBC connector and left a TODO in place for this.

This closes #1526
---
 .../apache/geode/internal/InputStreamFilter.java   |   3 +
 .../geode/internal/InternalDataSerializer.java |  68 +--
 .../internal/ObjectInputStreamFilterWrapper.java   | 196 ++---
 ...alDataSerializerSerializationWhitelistTest.java |   9 +-
 4 files changed, 229 insertions(+), 47 deletions(-)

diff --git 
a/geode-core/src/main/java/org/apache/geode/internal/InputStreamFilter.java 
b/geode-core/src/main/java/org/apache/geode/internal/InputStreamFilter.java
index 19d4102..43b43e6 100644
--- a/geode-core/src/main/java/org/apache/geode/internal/InputStreamFilter.java
+++ b/geode-core/src/main/java/org/apache/geode/internal/InputStreamFilter.java
@@ -17,5 +17,8 @@ package org.apache.geode.internal;
 import java.io.ObjectInputStream;
 
 public interface InputStreamFilter {
+
+  /** establish a serialization filter on the given stream */
   void setFilterOn(ObjectInputStream ois);
+
 }
diff --git 
a/geode-core/src/main/java/org/apache/geode/internal/InternalDataSerializer.java
 
b/geode-core/src/main/java/org/apache/geode/internal/InternalDataSerializer.java
index 3d842be..8c2b27d 100644
--- 
a/geode-core/src/main/java/org/apache/geode/internal/InternalDataSerializer.java
+++ 
b/geode-core/src/main/java/org/apache/geode/internal/InternalDataSerializer.java
@@ -138,28 +138,59 @@ public abstract class InternalDataSerializer extends 
DataSerializer implements D
* serialization.
*/
   private static final Map classesToSerializers = new 
ConcurrentHashMap<>();
+
+
+  /**
+   * This list contains classes that Geode's classes subclass, such as antlr 
AST classes which
+   * are used by our Object Query Language. It also contains certain
+   * classes that are DataSerializable but end up being serialized as part of 
other serializable
+   * objects. VersionedObjectList, for instance, is serialized as part of a
+   * partial putAll exception object.
+   * 
+   * Do not java-serialize objects that Geode does not have complete control 
over. This
+   * leaves us open to security attacks such as Gadget Chains and compromises 
the ability
+   * to do a rolling upgrade from one version of Geode to the next.
+   * 
+   * In general you shouldn't use java serialization and you should implement
+   * DataSerializableFixedID
+   * for internal Geode objects. This gives you better control over 
backward-compatibility.
+   * 
+   * Do not add to this list unless absolutely necessary. Instead put your 
classes either
+   * in the sanctionedSerializables file for your module or in its 
excludedClasses file.
+   * Run AnalyzeSerializables to generate the content for the file.
+   * 
+   */
   private static final String SANCTIONED_SERIALIZABLES_DEPENDENCIES_PATTERN =
   "java.**;javax.management.**" + ";javax.print.attribute.EnumSyntax" // 
used for some old enums
   + ";antlr.**" // query AST objects
-  + ";org.apache.commons.modeler.AttributeInfo" // old Admin API
-  + ";org.apache.commons.modeler.FeatureInfo" // old Admin API
-  + ";org.apache.commons.modeler.ManagedBean" // old Admin API
-  + 
";org.apache.geode.distributed.internal.DistributionConfigSnapshot" // old 
Admin API
-  + 
";org.apache.geode.distributed.internal.RuntimeDistributionConfigImpl" // old 
Admin API
-  + ";org.apache.geode.distributed.internal.DistributionConfigImpl" // 
old Admin API
-  + 
";org.apache.geode.distributed.internal.membership.InternalDistributedMember" 
// RegionSnapshotService
-   
   // function
-   
   //