[ https://issues.apache.org/jira/browse/SHIRO-824?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17358749#comment-17358749 ]
Brian Demers commented on SHIRO-824: ------------------------------------ Hey [~k4n5hao]! The mailing lists are a better place to ask questions about Shiro: https://shiro.apache.org/mailing-lists.html But to answer your question, you should be able to apply to filter similar to this: [https://docs.oracle.com/javase/10/core/serialization-filtering1.htm] Or you could create your own {{Serializer}} if that doesn't meet your needs: https://github.com/apache/shiro/blob/df81077726b407f905ba16a9f57ba731b7736375/lang/src/main/java/org/apache/shiro/lang/io/Serializer.java#L32 > how to create an allow list avoid deserialize vulnerability > ----------------------------------------------------------- > > Key: SHIRO-824 > URL: https://issues.apache.org/jira/browse/SHIRO-824 > Project: Shiro > Issue Type: Question > Components: RememberMe > Affects Versions: 1.7.1 > Reporter: k4n5hao > Priority: Critical > > how to create an allow list (or similar), to avoid deserialize vulnerability > like Shiro-550 whith rememberMe? i really check doc and google, icant't find > one. thx -- This message was sent by Atlassian Jira (v8.3.4#803005)