You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2023/03/03 15:28:00 UTC

[jira] [Work logged] (ARTEMIS-4167) Enhance deserialization filter beyond black/whitelist functionality

     [ https://issues.apache.org/jira/browse/ARTEMIS-4167?focusedWorklogId=848984&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-848984 ]

ASF GitHub Bot logged work on ARTEMIS-4167:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 03/Mar/23 15:27
            Start Date: 03/Mar/23 15:27
    Worklog Time Spent: 10m 
      Work Description: jbertram commented on PR #4368:
URL: https://github.com/apache/activemq-artemis/pull/4368#issuecomment-1453699074

   The name "SerialFilter" is used throughout the changes. However, I think this should be changed to "DeserializationFilter" in order to be more accurate about what it is and to be consistent with the existing "DeserializationWhileList" and "DeserializationBlackList" as well.




Issue Time Tracking
-------------------

    Worklog Id:     (was: 848984)
    Time Spent: 20m  (was: 10m)

> Enhance deserialization filter beyond black/whitelist functionality
> -------------------------------------------------------------------
>
>                 Key: ARTEMIS-4167
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-4167
>             Project: ActiveMQ Artemis
>          Issue Type: New Feature
>            Reporter: Scott Werner
>            Priority: Minor
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Now that Artemis is Java 11+ compatible, there is now the ability to set an ObjectInputFilter on an ObjectInputStream. There are also built in methods to generate filters similar to the current syntax and offers many other features out of the box. A global jvm property (jdk.serialFilter) can be set, but this is quite restrictive. I suggest adding a new serial filter pattern and class name of an ObjectInputFilter implementation, everywhere blacklist/whitelist exist today. In time we can look into converting the existing black/whitelist to the new format or just deprecating as the semantics are a bit different and may not be able to make it 100% compatible.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)