You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@juneau.apache.org by James Bognar <ja...@apache.org> on 2021/12/19 17:46:41 UTC

Removal of Java Serialized Object marshallers.

FYI....I'm planning to remove the Java Serialized Object marshallers
in Juneau due to security concerns.  The JsoSerializer and JsoParser
classes are simply wrappers on top of ObjectInputStream and
ObjectOutputStream.  They've been isolated for a long time with
warnings that you should be careful when using them.  However, I'm
noticing that we are being dinged on security reports by merely
referencing the ObjectInputStream and ObjectOutputStream classes.

I highly doubt anyone is using (or should be using) these classes, so
I'm just going to remove them entirely in 9.0.

Please speak up if anyone has any objections.

Re: Removal of Java Serialized Object marshallers.

Posted by Gary Gregory <ga...@gmail.com>.

Go for it.

Gary

On Sun, Dec 19, 2021, 12:47 James Bognar <ja...@apache.org> wrote:

> FYI....I'm planning to remove the Java Serialized Object marshallers
> in Juneau due to security concerns.  The JsoSerializer and JsoParser
> classes are simply wrappers on top of ObjectInputStream and
> ObjectOutputStream.  They've been isolated for a long time with
> warnings that you should be careful when using them.  However, I'm
> noticing that we are being dinged on security reports by merely
> referencing the ObjectInputStream and ObjectOutputStream classes.
>
> I highly doubt anyone is using (or should be using) these classes, so
> I'm just going to remove them entirely in 9.0.
>
> Please speak up if anyone has any objections.
>