Hello, By design, having ArbitrarySerializable (sorry, arbitrary deserialization) built in a generic piece of code is a security hole: gadgets can be crafted and result in remote code execution.
We instead introduced a byte serializer. It is now to the application user to serialize it's attributes and wrap it in a bytes backed attribute at the edges of the James server. See https://issues.apache.org/jira/browse/JAMES-3829 Might you need assistance in this migration, I would be happy to help with professional supports. -- Best regards, Benoit TELLIER General manager of Linagora VIETNAM. Product owner for Team-Mail product. Chairman of the Apache James project. Mail: btell...@linagora.com Tel: (0033) 6 77 26 04 58 (WhatsApp, Signal) On Jul 17, 2023 7:18 PM, from Martijn Brinkers I'm in the process of converting code for James 2.X to 3.8. I'm having some trouble storing an instance of an arbitrary class as a Mail attribute. James 2.X supported storing Serializable objects directly as an Mail attribute. In James 3.X this was changed to a specialized procedure using JSON serialization. It looks like I need to implement ArbitrarySerializable to support storing arbitrary objects. There is example implementation of ArbitrarySerializable but that's only a simple example supporting an Integer which works because AttributeValue.of already supports Integer's. Can someone help me with an example on how to store complex objects as a Mail attribute? Kind regards, Martijn Brinkers
