You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ignite.apache.org by Pradeep Badiger <Pr...@fico.com> on 2020/09/09 14:40:54 UTC
Issue with serialization data security - 2.5.0
Hi,
We are running into an issue with serialization security in Ignite 2.5.0 with whitelisting enabled. We start the cache inside an application in embedded mode. The cache is partitioned with read through/write behind enabled. I am getting the below exception while working with the cache. Note that this does not happen always.
2020-08-04 14:05:38.482 [sys-#41] ERROR ignite.internal.processors.continuous.GridContinuousProcessor - Failed to process message (ignoring): GridContinuousMessage [type=MSG_EVT_NOTIFICATION, routineId=e6f15316-b9c4-4316-878f-188401f64acf, data=null, futId=null]
org.apache.ignite.IgniteCheckedException: Deserialization of class org.apache.ignite.util.deque.FastSizeDeque is disallowed.
at org.apache.ignite.internal.util.IgniteUtils.unmarshal(IgniteUtils.java:9968) [dmipDPC.jar:?]
at org.apache.ignite.internal.processors.continuous.GridContinuousProcessor$7.onMessage(GridContinuousProcessor.java:266) [dmipDPC.jar:?]
at org.apache.ignite.internal.managers.communication.GridIoManager.invokeListener(GridIoManager.java:1556) [dmipDPC.jar:?]
at org.apache.ignite.internal.managers.communication.GridIoManager.processRegularMessage0(GridIoManager.java:1184) [dmipDPC.jar:?]
at org.apache.ignite.internal.managers.communication.GridIoManager.access$4200(GridIoManager.java:125) [dmipDPC.jar:?]
at org.apache.ignite.internal.managers.communication.GridIoManager$9.run(GridIoManager.java:1091) [dmipDPC.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_231]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_231]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_231]
Caused by: java.lang.RuntimeException: Deserialization of class org.apache.ignite.util.deque.FastSizeDeque is disallowed.
at org.apache.ignite.internal.util.IgniteUtils.forName(IgniteUtils.java:8606) ~[dmipDPC.jar:?]
at org.apache.ignite.internal.MarshallerContextImpl.getClass(MarshallerContextImpl.java:349) ~[dmipDPC.jar:?]
at org.apache.ignite.internal.binary.BinaryContext.descriptorForTypeId(BinaryContext.java:688) ~[dmipDPC.jar:?]
at org.apache.ignite.internal.binary.BinaryReaderExImpl.deserialize0(BinaryReaderExImpl.java:1755) ~[dmipDPC.jar:?]
at org.apache.ignite.internal.binary.BinaryReaderExImpl.deserialize(BinaryReaderExImpl.java:1714) ~[dmipDPC.jar:?]
at org.apache.ignite.internal.binary.GridBinaryMarshaller.deserialize(GridBinaryMarshaller.java:310) ~[dmipDPC.jar:?]
at org.apache.ignite.internal.binary.BinaryMarshaller.unmarshal0(BinaryMarshaller.java:99) ~[dmipDPC.jar:?]
at org.apache.ignite.marshaller.AbstractNodeNameAwareMarshaller.unmarshal(AbstractNodeNameAwareMarshaller.java:82) ~[dmipDPC.jar:?]
at org.apache.ignite.internal.util.IgniteUtils.unmarshal(IgniteUtils.java:9962) [dmipDPC.jar:?]
... 8 more
I looked at org.apache.ignite.internal.IgniteKernal#classWhiteList and it loads the META-INF/classnames.txt and META-INF/classnames-jdk.txt files before loading the user configured whitelist classes file. I don't see the mention of org.apache.ignite.util.deque.FastSizeDeque class in the META-INF/classnames.txt file. Is this a bug within Ignite?
Thanks,
Pradeep V.B.
This email and any files transmitted with it are confidential, proprietary and intended solely for the individual or entity to whom they are addressed. If you have received this email in error please delete it immediately.
Re: Issue with serialization data security - 2.5.0
Posted by akorensh <al...@gmail.com>.
Hi,
2.5.0 is a bit outdated. I suggest you upgrade to the latest version and
retry.
If it is still an issue using the latest version, please include a
reproducer and we will take a look.
Thanks, Alex
--
Sent from: http://apache-ignite-users.70518.x6.nabble.com/