New candidate JEP: 415: Context-Specific Deserialization Filters & JEP 411

jini at zeus.net.au jini at zeus.net.au
Tue May 11 21:05:31 UTC 2021


HI Roger,

You are right, filters help those using existing software because 
they're unlikely to rewrite it.   We use TLS connections to protect Java 
serialization, as a configuration concern, but these will break after 
JEP 411.

So an attacker that wanted to use serialization as an attack vector, 
would need to be the first to use Java Serialization, in order to first 
change the System property, then cause the static field 
ObjectInputFilter.Config.serialFilter to be initialized, which might 
actually be possible on a system that doesn't use Java Serialization at 
all, because it leaves serialFilter in an uninitialized state.   If a 
SecurityManager is in place, the attacker requires a PropertyPermission 
and SerializablePermission("serialFilter").   We currently use the 
principle of least privilege, so we have a SecurityManager and policies 
in place, however these will be removed in future due to JEP 411.

Any chance we can have SerializablePermission("deserialize")?   I know 
SecurityManager will be removed, but having the permission would allow 
us to prevent third party library code from using ObjectInputStream to 
deserialize.

Replacement of Java serialization, as an exercise (when you have the 
opportunity to modify code):

First with your filter parameter to disable serialization:

      [java] May 11, 2021 4:45:56 PM java.io.ObjectInputFilter$Config 
lambda$static$0
      [java] INFO: Creating serialization filter from !*
      [java] java.io.InvalidClassException: filter status: REJECTED
      [java]     at 
java.base/java.io.ObjectInputStream.filterCheck(ObjectInputStream.java:1356)
      [java]     at 
java.base/java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1992)
      [java]     at 
java.base/java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1868)
      [java]     at 
java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2161)
      [java]     at 
java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1685)
      [java]     at 
java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:499)
      [java]     at 
java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:457)
      [java]     at 
org.apache.river.qa.harness.MasterTest.main(MasterTest.java:117)
      [java] Unexpected exception:
      [java] java.io.IOException: The pipe is being closed
      [java]     at java.base/java.io.FileOutputStream.writeBytes(Native 
Method)
      [java]     at 
java.base/java.io.FileOutputStream.write(FileOutputStream.java:347)
      [java]     at 
java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)
      [java]     at 
java.base/java.io.BufferedOutputStream.write(BufferedOutputStream.java:127)
      [java]     at 
java.base/java.io.ObjectOutputStream$BlockDataOutputStream.drain(ObjectOutputStream.java:1893)
      [java]     at 
java.base/java.io.ObjectOutputStream$BlockDataOutputStream.setBlockDataMode(ObjectOutputStream.java:1802)
      [java]     at 
java.base/java.io.ObjectOutputStream.writeNonProxyDesc(ObjectOutputStream.java:1295)
      [java]     at 
java.base/java.io.ObjectOutputStream.writeClassDesc(ObjectOutputStream.java:1240)
      [java]     at 
java.base/java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1436)
      [java]     at 
java.base/java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1187)
      [java]     at 
java.base/java.io.ObjectOutputStream.writeFatalException(ObjectOutputStream.java:1609)
      [java]     at 
java.base/java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:356)
      [java]     at 
org.apache.river.qa.harness.MasterHarness.runTestOtherVM(MasterHarness.java:884)
      [java]     at 
org.apache.river.qa.harness.MasterHarness.access$200(MasterHarness.java:123)
      [java]     at 
org.apache.river.qa.harness.MasterHarness$TestRunner.run(MasterHarness.java:617)
      [java]     at 
org.apache.river.qa.harness.MasterHarness.runTests(MasterHarness.java:444)
      [java]     at 
org.apache.river.qa.harness.QARunner.main(QARunner.java:67)


Then replacing ObjectInputStream and ObjectOutputStream with Atomic 
failure input validation equivalent implementations, note how circular 
links are not supported:


      [java] May 11, 2021 4:54:50 PM java.io.ObjectInputFilter$Config 
lambda$static$0
      [java] INFO: Creating serialization filter from !*
      [java] java.io.StreamCorruptedException: Unable to read field: 
resolver, class java.lang.Object
      [java] while deserializing an object instance of: 
org.apache.river.qa.harness.QAConfig
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readFieldValues(AtomicMarshalInputStream.java:1308)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readFields(AtomicMarshalInputStream.java:1200)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.instantiateAtomicSerialOrDiscard(AtomicMarshalInputStream.java:2792)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readNewObject(AtomicMarshalInputStream.java:2536)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readNonPrimitiveContent(AtomicMarshalInputStream.java:967)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readObject(AtomicMarshalInputStream.java:3026)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readObjectOverride(AtomicMarshalInputStream.java:2926)
      [java]     at 
java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:490)
      [java]     at 
java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:457)
      [java]     at 
org.apache.river.qa.harness.MasterTest.main(MasterTest.java:118)
      [java] Caused by: java.io.StreamCorruptedException: Unable to read 
field: config, class java.lang.Object
      [java] while deserializing an object instance of: 
org.apache.river.qa.harness.Resolver
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readFieldValues(AtomicMarshalInputStream.java:1308)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readFields(AtomicMarshalInputStream.java:1200)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.instantiateAtomicSerialOrDiscard(AtomicMarshalInputStream.java:2792)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readNewObject(AtomicMarshalInputStream.java:2536)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readNonPrimitiveContent(AtomicMarshalInputStream.java:967)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readObject(AtomicMarshalInputStream.java:3026)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readFieldValues(AtomicMarshalInputStream.java:1268)
      [java]     ... 9 more
      [java] Caused by: 
org.apache.river.api.io.CircularReferenceException: Circular reference
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.registeredObjectRead(AtomicMarshalInputStream.java:3178)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readCyclicReference(AtomicMarshalInputStream.java:1037)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readNonPrimitiveContent(AtomicMarshalInputStream.java:991)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readObject(AtomicMarshalInputStream.java:3026)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readFieldValues(AtomicMarshalInputStream.java:1268)
      [java]     ... 15 more

Then another circular reference to fix:

      [java] May 11, 2021 6:10:18 PM java.io.ObjectInputFilter$Config 
lambda$static$0
      [java] INFO: Creating serialization filter from !*
      [java] java.io.StreamCorruptedException: Unable to read field: td, 
class java.lang.Object
      [java] while deserializing an object instance of: 
org.apache.river.qa.harness.QAConfig
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readFieldValues(AtomicMarshalInputStream.java:1308)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readFields(AtomicMarshalInputStream.java:1200)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.instantiateAtomicSerialOrDiscard(AtomicMarshalInputStream.java:2792)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readNewObject(AtomicMarshalInputStream.java:2536)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readNonPrimitiveContent(AtomicMarshalInputStream.java:967)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readObject(AtomicMarshalInputStream.java:3026)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readObjectOverride(AtomicMarshalInputStream.java:2926)
      [java]     at 
java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:490)
      [java]     at 
java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:457)
      [java]     at 
org.apache.river.qa.harness.MasterTest.main(MasterTest.java:118)
      [java] Caused by: java.io.StreamCorruptedException: Unable to read 
field: config, class java.lang.Object
      [java] while deserializing an object instance of: 
org.apache.river.qa.harness.TestDescription
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readFieldValues(AtomicMarshalInputStream.java:1308)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readFields(AtomicMarshalInputStream.java:1200)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.instantiateAtomicSerialOrDiscard(AtomicMarshalInputStream.java:2792)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readNewObject(AtomicMarshalInputStream.java:2536)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readNonPrimitiveContent(AtomicMarshalInputStream.java:967)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readObject(AtomicMarshalInputStream.java:3026)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readFieldValues(AtomicMarshalInputStream.java:1268)
      [java]     ... 9 more
      [java] Caused by: 
org.apache.river.api.io.CircularReferenceException: Circular reference
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.registeredObjectRead(AtomicMarshalInputStream.java:3178)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readCyclicReference(AtomicMarshalInputStream.java:1037)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readNonPrimitiveContent(AtomicMarshalInputStream.java:991)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readObject(AtomicMarshalInputStream.java:3026)
      [java]     at 
org.apache.river.api.io.AtomicMarshalInputStream.readFieldValues(AtomicMarshalInputStream.java:1268)
      [java]     ... 15 more

Then something else that uses Java serialization:

      [java] May 11, 2021 7:21:20 PM java.io.ObjectInputFilter$Config 
lambda$static$0
      [java] INFO: Creating serialization filter from !*
      [java]
      [java] TIME: 7:21:21 pm
      [java]
      [java] MasterTest.doTest INFO:
      [java] ============================== CALLING CONSTRUCT() 
==============================
      [java]
      [java] QAConfig.genIntegrityCodebase WARNING: WARNING: file not 
found for codebase 
http://DESKTOP-R0ORPA2:9081/nonactivatablegroup-dl.jar in directory 
C:\Users\peter\Documents\NetBeansProjects\JGDMS\qa\lib, DISCARDING
      [java]
      [java] TIME: 7:21:22 pm
      [java]
      [java] Test process was destroyed and returned code 1
      [java] 
org/apache/river/test/spec/lookupservice/test_set02/LeaseMapRenew.td
      [java] Test Failed: Construct Failed: 
org.apache.river.qa.harness.TestException: Problem creating service for 
net.jini.core.lookup.ServiceRegistrar; nested exception is:
      [java]     Failed to start the shared nonactivatable group; nested 
exception is:
      [java]     NonActivatableGroupAdmin: Failed to exec the group; 
nested exception is:
      [java]     filter status: REJECTED


Then another use of Java Serialization:


   [java] May 11, 2021 7:55:09 PM java.io.ObjectInputFilter$Config 
lambda$static$0
      [java] INFO: Creating serialization filter from !*
      [java]
      [java] TIME: 7:55:09 pm
      [java]
      [java] MasterTest.doTest INFO:
      [java] ============================== CALLING CONSTRUCT() 
==============================
      [java]
      [java] QAConfig.genIntegrityCodebase WARNING: WARNING: file not 
found for codebase 
http://DESKTOP-R0ORPA2:9081/nonactivatablegroup-dl.jar in directory 
C:\Users\peter\Documents\NetBeansProjects\JGDMS\qa\lib, DISCARDING
      [java] NonActGrp-out: May 11, 2021 7:55:11 PM 
java.io.ObjectInputFilter$Config lambda$static$0
      [java] NonActGrp-out: INFO: Creating serialization filter from !*
      [java] org.apache.river.qa.harness.TestException: Problem creating 
service for net.jini.core.lookup.ServiceRegistrar; nested exception is:
      [java]     RemoteException in server thread; nested exception is:
      [java]     java.rmi.RemoteException: Create failed; nested 
exception is:
      [java]     java.io.InvalidClassException: filter status: REJECTED
      [java]     at 
org.apache.river.qa.harness.NonActivatableServiceStarterAdmin.start(NonActivatableServiceStarterAdmin.java:157)
      [java]     at 
org.apache.river.qa.harness.AdminManager.startService(AdminManager.java:639)
      [java]     at 
org.apache.river.qa.harness.AdminManager.startService(AdminManager.java:660)
      [java]     at 
org.apache.river.qa.harness.AdminManager.startLookupService(AdminManager.java:679)
      [java]     at 
org.apache.river.test.spec.lookupservice.QATestRegistrar.construct(QATestRegistrar.java:468)
      [java]     at 
org.apache.river.test.spec.lookupservice.test_set02.LeaseMapRenew.construct(LeaseMapRenew.java:113)
      [java]     at 
org.apache.river.qa.harness.MasterTest.doTest(MasterTest.java:241)
      [java]     at 
org.apache.river.qa.harness.MasterTest.access$000(MasterTest.java:51)
      [java]     at 
org.apache.river.qa.harness.MasterTest$1.run(MasterTest.java:187)
      [java]     at 
java.base/java.security.AccessController.doPrivileged(AccessController.java:391)
      [java]     at 
java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:486)
      [java]     at 
org.apache.river.qa.harness.MasterTest.doTestWithLogin(MasterTest.java:184)
      [java]     at 
org.apache.river.qa.harness.MasterTest.main(MasterTest.java:163)
      [java] Caused by: java.rmi.ServerException: RemoteException in 
server thread; nested exception is:
      [java]     java.rmi.RemoteException: Create failed; nested 
exception is:
      [java]     java.io.InvalidClassException: filter status: REJECTED
      [java]     at 
net.jini.jeri.BasicInvocationDispatcher.dispatch(BasicInvocationDispatcher.java:746)
      [java]     at 
net.jini.jeri.AtomicInvocationDispatcher.dispatch(AtomicInvocationDispatcher.java:251)
      [java]     at 
org.apache.river.jeri.internal.runtime.Target$2.run(Target.java:493)
      [java]     at 
net.jini.export.ServerContext.doWithServerContext(ServerContext.java:113)
      [java]     at 
org.apache.river.jeri.internal.runtime.Target.dispatch(Target.java:490)
      [java]     at 
org.apache.river.jeri.internal.runtime.Target.access$000(Target.java:57)
      [java]     at 
org.apache.river.jeri.internal.runtime.Target$1.run(Target.java:466)
      [java]     at 
java.security.AccessController.doPrivileged(AccessController.java:691)
      [java]     at 
org.apache.river.jeri.internal.runtime.Target.dispatch(Target.java:463)
      [java]     at 
org.apache.river.jeri.internal.runtime.Target.dispatch(Target.java:428)
      [java]     at 
org.apache.river.jeri.internal.runtime.DgcRequestDispatcher.dispatch(DgcRequestDispatcher.java:207)
      [java]     at 
net.jini.jeri.connection.ServerConnectionManager$Dispatcher.dispatch(ServerConnectionManager.java:147)
      [java]     at 
org.apache.river.jeri.internal.mux.MuxServer$1$1.run(MuxServer.java:247)
      [java]     at 
java.security.AccessController.doPrivileged(AccessController.java:391)
      [java]     at 
org.apache.river.jeri.internal.mux.MuxServer$1.run(MuxServer.java:243)
      [java]     at 
org.apache.river.thread.ThreadPool$Task.run(ThreadPool.java:172)
      [java]     at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
      [java]     at java.util.concurrent.FutureTask.run(FutureTask.java:264)
      [java]     at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
      [java]     at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
      [java]     at java.lang.Thread.run(Thread.java:832)
      [java]     at 
org.apache.river.jeri.internal.runtime.Util.__________EXCEPTION_RECEIVED_FROM_SERVER__________(Util.java:113)
      [java]     at 
org.apache.river.jeri.internal.runtime.Util.exceptionReceivedFromServer(Util.java:106)
      [java]     at 
net.jini.jeri.BasicInvocationHandler.unmarshalThrow(BasicInvocationHandler.java:1433)
      [java]     at 
net.jini.jeri.BasicInvocationHandler.invokeRemoteMethodOnce(BasicInvocationHandler.java:914)
      [java]     at 
net.jini.jeri.BasicInvocationHandler.invokeRemoteMethod(BasicInvocationHandler.java:728)
      [java]     at 
net.jini.jeri.BasicInvocationHandler.invoke(BasicInvocationHandler.java:597)
      [java]     at 
net.jini.jeri.AtomicInvocationHandler.invoke(AtomicInvocationHandler.java:315)
      [java]     at 
org.apache.river.qa.harness.$Proxy3.startService(Unknown Source)
      [java]     at 
org.apache.river.qa.harness.NonActivatableServiceStarterAdmin.start(NonActivatableServiceStarterAdmin.java:149)
      [java]     ... 12 more
      [java] Caused by: java.rmi.RemoteException: Create failed; nested 
exception is:
      [java]     java.io.InvalidClassException: filter status: REJECTED
      [java]     at 
org.apache.river.qa.harness.GroupImpl.startService(GroupImpl.java:163)
      [java]     at 
jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      [java]     at 
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      [java]     at 
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      [java]     at java.lang.reflect.Method.invoke(Method.java:564)
      [java]     at 
net.jini.jeri.BasicInvocationDispatcher.invoke(BasicInvocationDispatcher.java:1288)
      [java]     at 
net.jini.jeri.BasicInvocationDispatcher.dispatch(BasicInvocationDispatcher.java:710)
      [java]     at 
net.jini.jeri.AtomicInvocationDispatcher.dispatch(AtomicInvocationDispatcher.java:251)
      [java]     at 
org.apache.river.jeri.internal.runtime.Target$2.run(Target.java:493)
      [java]     at 
net.jini.export.ServerContext.doWithServerContext(ServerContext.java:113)
      [java]     at 
org.apache.river.jeri.internal.runtime.Target.dispatch(Target.java:490)
      [java]     at 
org.apache.river.jeri.internal.runtime.Target.access$000(Target.java:57)
      [java]     at 
org.apache.river.jeri.internal.runtime.Target$1.run(Target.java:466)
      [java]     at 
java.security.AccessController.doPrivileged(AccessController.java:691)
      [java]     at 
org.apache.river.jeri.internal.runtime.Target.dispatch(Target.java:463)
      [java]     at 
org.apache.river.jeri.internal.runtime.Target.dispatch(Target.java:428)
      [java]     at 
org.apache.river.jeri.internal.runtime.DgcRequestDispatcher.dispatch(DgcRequestDispatcher.java:207)
      [java]     at 
net.jini.jeri.connection.ServerConnectionManager$Dispatcher.dispatch(ServerConnectionManager.java:147)
      [java]     at 
org.apache.river.jeri.internal.mux.MuxServer$1$1.run(MuxServer.java:247)
      [java]     at 
java.security.AccessController.doPrivileged(AccessController.java:391)
      [java]     at 
org.apache.river.jeri.internal.mux.MuxServer$1.run(MuxServer.java:243)
      [java]     at 
org.apache.river.thread.ThreadPool$Task.run(ThreadPool.java:172)
      [java]     at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
      [java]     at java.util.concurrent.FutureTask.run(FutureTask.java:264)
      [java]     at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
      [java]     at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
      [java]     at java.lang.Thread.run(Thread.java:832)
      [java] Caused by: java.io.InvalidClassException: filter status: 
REJECTED
      [java]     at 
java.io.ObjectInputStream.filterCheck(ObjectInputStream.java:1356)
      [java]     at 
java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1992)
      [java]     at 
java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1868)
      [java]     at 
java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2161)
      [java]     at 
java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1685)
      [java]     at 
java.io.ObjectInputStream.readObject(ObjectInputStream.java:499)
      [java]     at 
java.io.ObjectInputStream.readObject(ObjectInputStream.java:457)
      [java]     at 
net.jini.io.MarshalledInstance.get(MarshalledInstance.java:611)
      [java]     at 
net.jini.io.MarshalledInstance.get(MarshalledInstance.java:527)
      [java]     at 
org.apache.river.start.NonActivatableServiceDescriptor.create(NonActivatableServiceDescriptor.java:729)
      [java]     at 
org.apache.river.qa.harness.GroupImpl.doInit(GroupImpl.java:204)
      [java]     at 
org.apache.river.qa.harness.GroupImpl.access$000(GroupImpl.java:47)
      [java]     at 
org.apache.river.qa.harness.GroupImpl$1.run(GroupImpl.java:186)
      [java]     at 
org.apache.river.qa.harness.GroupImpl$1.run(GroupImpl.java:183)
      [java]     at 
java.security.AccessController.doPrivileged(AccessController.java:691)
      [java]     at 
javax.security.auth.Subject.doAsPrivileged(Subject.java:552)
      [java]     at 
org.apache.river.qa.harness.GroupImpl.doInitWithLogin(GroupImpl.java:180)
      [java]     at 
org.apache.river.qa.harness.GroupImpl.startService(GroupImpl.java:154)
      [java]     ... 26 more
      [java] MasterTest.doTest INFO:
      [java] ============================ CALLING TEARDOWN() 
=============================


Another use of Java Serialization:


   [java] May 11, 2021 8:01:49 PM java.io.ObjectInputFilter$Config 
lambda$static$0
      [java] INFO: Creating serialization filter from !*
      [java]
      [java] TIME: 8:01:50 pm
      [java]
      [java] MasterTest.doTest INFO:
      [java] ============================== CALLING CONSTRUCT() 
==============================
      [java]
      [java] QAConfig.genIntegrityCodebase WARNING: WARNING: file not 
found for codebase 
http://DESKTOP-R0ORPA2:9081/nonactivatablegroup-dl.jar in directory 
C:\Users\peter\Documents\NetBeansProjects\JGDMS\qa\lib, DISCARDING
      [java] NonActGrp-out: May 11, 2021 8:01:51 PM 
java.io.ObjectInputFilter$Config lambda$static$0
      [java] NonActGrp-out: INFO: Creating serialization filter from !*
      [java] MasterTest.doTest INFO:
      [java] =============================== CALLING RUN() 
===============================
      [java]
      [java] java.rmi.UnmarshalException: error unmarshalling return; 
nested exception is:
      [java]     java.io.InvalidClassException: filter status: REJECTED
      [java]     at 
org.apache.river.reggie.proxy.RegistrarProxy.lookup(RegistrarProxy.java:173)
      [java]     at 
org.apache.river.test.spec.lookupservice.QATestUtils.doLookup(QATestUtils.java:651)
      [java]     at 
org.apache.river.test.spec.lookupservice.test_set02.LeaseMapRenew.run(LeaseMapRenew.java:189)
      [java]     at 
org.apache.river.qa.harness.MasterTest.doTest(MasterTest.java:277)
      [java]     at 
org.apache.river.qa.harness.MasterTest.access$000(MasterTest.java:51)
      [java]     at 
org.apache.river.qa.harness.MasterTest$1.run(MasterTest.java:187)
      [java]     at 
java.base/java.security.AccessController.doPrivileged(AccessController.java:391)
      [java]     at 
java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:486)
      [java]     at 
org.apache.river.qa.harness.MasterTest.doTestWithLogin(MasterTest.java:184)
      [java]     at 
org.apache.river.qa.harness.MasterTest.main(MasterTest.java:163)
      [java] Caused by: java.io.InvalidClassException: filter status: 
REJECTED
      [java]     at 
java.base/java.io.ObjectInputStream.filterCheck(ObjectInputStream.java:1356)
      [java]     at 
java.base/java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1992)
      [java]     at 
java.base/java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1868)
      [java]     at 
java.base/java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2161)
      [java]     at 
java.base/java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1685)
      [java]     at 
java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:499)
      [java]     at 
java.base/java.io.ObjectInputStream.readObject(ObjectInputStream.java:457)
      [java]     at 
net.jini.io.MarshalledInstance.get(MarshalledInstance.java:611)
      [java]     at 
net.jini.io.MarshalledInstance.get(MarshalledInstance.java:527)
      [java]     at 
net.jini.io.MarshalledInstance.get(MarshalledInstance.java:442)
      [java]     at 
org.apache.river.proxy.MarshalledWrapper.get(MarshalledWrapper.java:217)
      [java]     at 
org.apache.river.reggie.proxy.RegistrarProxy.lookup(RegistrarProxy.java:171)
      [java]     ... 9 more
      [java]
      [java] TIME: 8:04:28 pm
      [java]
      [java] MasterTest.doTest INFO:
      [java] ============================ CALLING TEARDOWN() 
=============================


Finally a working test without using Java Serialization:


   [java] May 11, 2021 8:10:33 PM java.io.ObjectInputFilter$Config 
lambda$static$0
      [java] INFO: Creating serialization filter from !*
      [java]
      [java] TIME: 8:10:34 pm
      [java]
      [java] MasterTest.doTest INFO:
      [java] ============================== CALLING CONSTRUCT() 
==============================
      [java]
      [java] QAConfig.genIntegrityCodebase WARNING: WARNING: file not 
found for codebase 
http://DESKTOP-R0ORPA2:9081/nonactivatablegroup-dl.jar in directory 
C:\Users\peter\Documents\NetBeansProjects\JGDMS\qa\lib, DISCARDING
      [java] NonActGrp-out: May 11, 2021 8:10:35 PM 
java.io.ObjectInputFilter$Config lambda$static$0
      [java] NonActGrp-out: INFO: Creating serialization filter from !*
      [java] MasterTest.doTest INFO:
      [java] =============================== CALLING RUN() 
===============================
      [java]
      [java]
      [java] TIME: 8:19:13 pm
      [java]
      [java] MasterTest.doTest INFO:
      [java] ============================ CALLING TEARDOWN() 
=============================
      [java]
      [java]
      [java] TIME: 8:19:24 pm
      [java]
      [java] Test process was destroyed and returned code 0
      [java] 
org/apache/river/test/spec/lookupservice/test_set02/LeaseMapRenew.td
      [java] Test Passed: OK
      [java]
      [java]
      [java] -----------------------------------------
      [java]
      [java] SUMMARY =================================
      [java]
      [java] 
org/apache/river/test/spec/lookupservice/test_set02/LeaseMapRenew.td
      [java] Test Passed: OK
      [java]
      [java] -----------------------------------------

On 11/05/2021 3:36 am, Roger Riggs wrote:
> Hi Peter,
>
> There is a set of properties who values are read at startup and cached
> so changes later do not affect behavior.  The serial filter properties 
> are cached.
>
> For example, java.home, user.home, user.dir, user.name, 
> java.library.path, java.io.tmpdir.
>
> Regards, Roger
>
>
> On 5/7/21 6:24 PM, Peter Firmstone wrote:
>> Roger,
>>
>> Can we make properties specified from the command line immutable?
>>
>> So code can't switch it back on again.  It's not much good if code 
>> can change a property, there will be no SecurityManager to prevent it 
>> from doing so in future.
>>
>> Not trying to sandbox, just want to keep the security holes closed.
>>
>> Thanks,
>>
>> Peter.
>>
>> On 8/05/2021 7:30 am, Roger Riggs wrote:
>>> Hi Peter,
>>>
>>> Point noted, but does not address existing production apps dependent 
>>> on serialization.
>>> We've been encouraging developers to use other serialization 
>>> mechanisms for years.
>>>
>>> As of JDK 9, JEP 290 can specify a filter on the command line to 
>>> reject all classes.
>>>
>>>  ...  "-Djdk.serialFilter=!*" ...
>>>
>>> Regards, Roger
>>>
>>>
>>> On 5/6/21 8:44 PM, Peter Firmstone wrote:
>>>> While I'm not against such a thing, it indicates increasing 
>>>> complexity in the game of de-serialization whack-a-mole.
>>>>
>>>> It also suggests people are using Java Serialization to process 
>>>> un-trusted data.
>>>>
>>>> I think that Serialization Filter's are a design mistake, we should 
>>>> just enable the existing Java Serialization to be turned off 
>>>> completely.  The time spent writing these things should be spent 
>>>> implementing new Serialization API's.
>>>>
>>>> A property or command line argument that cannot be changed at 
>>>> runtime to switch off Java Serialization would be appreciated.
>>>>
>>>> A new public API for Serialization which includes Object level 
>>>> input validation and failure atomicity needs to be designed that is 
>>>> suitable for use with many Serialization protocols.
>>>>
>>>> Serialization is a public interface, we should start declaring it 
>>>> as such.
>>>>
>>>
>
-- 
Regards,
  Peter Firmstone
0498 286 363
Zeus Project Services Pty Ltd.



More information about the jdk-dev mailing list