You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dubbo.apache.org by li...@apache.org on 2021/09/08 00:13:37 UTC
[dubbo] branch 3.0 updated: Add Serialization warning message to
java serialization (#8716)
This is an automated email from the ASF dual-hosted git repository.
liujun pushed a commit to branch 3.0
in repository https://gitbox.apache.org/repos/asf/dubbo.git
The following commit(s) were added to refs/heads/3.0 by this push:
new 1eee76e Add Serialization warning message to java serialization (#8716)
1eee76e is described below
commit 1eee76e052c351060a8b4a7e134fb495701c2379
Author: Albumen Kevin <jh...@gmail.com>
AuthorDate: Wed Sep 8 08:13:18 2021 +0800
Add Serialization warning message to java serialization (#8716)
---
.../dubbo/common/serialize/java/JavaSerialization.java | 15 +++++++++++++++
.../serialize/nativejava/NativeJavaSerialization.java | 17 ++++++++++++++++-
2 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/dubbo-serialization/dubbo-serialization-jdk/src/main/java/org/apache/dubbo/common/serialize/java/JavaSerialization.java b/dubbo-serialization/dubbo-serialization-jdk/src/main/java/org/apache/dubbo/common/serialize/java/JavaSerialization.java
index 2045e4e..996fe6e 100644
--- a/dubbo-serialization/dubbo-serialization-jdk/src/main/java/org/apache/dubbo/common/serialize/java/JavaSerialization.java
+++ b/dubbo-serialization/dubbo-serialization-jdk/src/main/java/org/apache/dubbo/common/serialize/java/JavaSerialization.java
@@ -17,6 +17,8 @@
package org.apache.dubbo.common.serialize.java;
import org.apache.dubbo.common.URL;
+import org.apache.dubbo.common.logger.Logger;
+import org.apache.dubbo.common.logger.LoggerFactory;
import org.apache.dubbo.common.serialize.ObjectInput;
import org.apache.dubbo.common.serialize.ObjectOutput;
import org.apache.dubbo.common.serialize.Serialization;
@@ -24,6 +26,7 @@ import org.apache.dubbo.common.serialize.Serialization;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
+import java.util.concurrent.atomic.AtomicBoolean;
import static org.apache.dubbo.common.serialize.Constants.JAVA_SERIALIZATION_ID;
@@ -35,6 +38,8 @@ import static org.apache.dubbo.common.serialize.Constants.JAVA_SERIALIZATION_ID;
* </pre>
*/
public class JavaSerialization implements Serialization {
+ private static final Logger logger = LoggerFactory.getLogger(JavaSerialization.class);
+ private final static AtomicBoolean warn = new AtomicBoolean(false);
@Override
public byte getContentTypeId() {
@@ -48,11 +53,21 @@ public class JavaSerialization implements Serialization {
@Override
public ObjectOutput serialize(URL url, OutputStream out) throws IOException {
+ if (warn.compareAndSet(false, true)) {
+ logger.error("Java serialization is unsafe. Dubbo Team do not recommend anyone to use it." +
+ "If you still want to use it, please follow [JEP 290](https://openjdk.java.net/jeps/290)" +
+ "to set serialization filter to prevent deserialization leak.");
+ }
return new JavaObjectOutput(out);
}
@Override
public ObjectInput deserialize(URL url, InputStream is) throws IOException {
+ if (warn.compareAndSet(false, true)) {
+ logger.error("Java serialization is unsafe. Dubbo Team do not recommend anyone to use it." +
+ "If you still want to use it, please follow [JEP 290](https://openjdk.java.net/jeps/290)" +
+ "to set serialization filter to prevent deserialization leak.");
+ }
return new JavaObjectInput(is);
}
diff --git a/dubbo-serialization/dubbo-serialization-jdk/src/main/java/org/apache/dubbo/common/serialize/nativejava/NativeJavaSerialization.java b/dubbo-serialization/dubbo-serialization-jdk/src/main/java/org/apache/dubbo/common/serialize/nativejava/NativeJavaSerialization.java
index 6617d29..20d9d0a 100644
--- a/dubbo-serialization/dubbo-serialization-jdk/src/main/java/org/apache/dubbo/common/serialize/nativejava/NativeJavaSerialization.java
+++ b/dubbo-serialization/dubbo-serialization-jdk/src/main/java/org/apache/dubbo/common/serialize/nativejava/NativeJavaSerialization.java
@@ -18,13 +18,17 @@
package org.apache.dubbo.common.serialize.nativejava;
import org.apache.dubbo.common.URL;
+import org.apache.dubbo.common.logger.Logger;
+import org.apache.dubbo.common.logger.LoggerFactory;
import org.apache.dubbo.common.serialize.ObjectInput;
import org.apache.dubbo.common.serialize.ObjectOutput;
import org.apache.dubbo.common.serialize.Serialization;
+import org.apache.dubbo.common.serialize.java.JavaSerialization;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
+import java.util.concurrent.atomic.AtomicBoolean;
import static org.apache.dubbo.common.serialize.Constants.NATIVE_JAVA_SERIALIZATION_ID;
@@ -36,7 +40,8 @@ import static org.apache.dubbo.common.serialize.Constants.NATIVE_JAVA_SERIALIZAT
* </pre>
*/
public class NativeJavaSerialization implements Serialization {
-
+ private static final Logger logger = LoggerFactory.getLogger(JavaSerialization.class);
+ private final static AtomicBoolean warn = new AtomicBoolean(false);
@Override
public byte getContentTypeId() {
@@ -50,11 +55,21 @@ public class NativeJavaSerialization implements Serialization {
@Override
public ObjectOutput serialize(URL url, OutputStream output) throws IOException {
+ if (warn.compareAndSet(false, true)) {
+ logger.error("Java serialization is unsafe. Dubbo Team do not recommend anyone to use it." +
+ "If you still want to use it, please follow [JEP 290](https://openjdk.java.net/jeps/290)" +
+ "to set serialization filter to prevent deserialization leak.");
+ }
return new NativeJavaObjectOutput(output);
}
@Override
public ObjectInput deserialize(URL url, InputStream input) throws IOException {
+ if (warn.compareAndSet(false, true)) {
+ logger.error("Java serialization is unsafe. Dubbo Team do not recommend anyone to use it." +
+ "If you still want to use it, please follow [JEP 290](https://openjdk.java.net/jeps/290)" +
+ "to set serialization filter to prevent deserialization leak.");
+ }
return new NativeJavaObjectInput(input);
}
}