Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

How to avoid Unsafe De-serialization on JMS ObjectMessage?

1ff197f9-c84c-43c1-8850-a02f899187f5Apr 25 2019 — edited Apr 25 2019

Hi,

     We have some tool to check security of the software and it is flagging up when we are deserializing an java object message.

I have a solution in this link. https://adityagollapudi.wordpress.com/2016/05/22/unsafe-java-deserialization/

Error:

---------

MessageObj newMsg = (MessageObj) ((ObjectMessage) msg).getObject();

msg is Message object from JMS

If possible, do not deserialize untrusted data without validating the contents of the object stream. In order to validate classes being deserialized, the look-ahead deserialization pattern should be used.

I tried implementing that but My MessageBean class is already implementing MessageDrivenBean, MessageListener and now I am adding extends ObjectInputStream to resolve the class to safely deserialize, overriding resolveClass() method.

But unknown error happened while installing/updating this ear file.

Question

------------

1. Is there any method other than getObject to get desired 'MessageObj' from JMS msg object?

2. Can we implement ObjectInputStream alongside with MessageDrivenBean, MessageListener ?

Comments

Hamza Al-abbasi
Answer

Hello Ace1,
Can you give a screen shot?

Marked as Answer by Ace1 · Feb 15 2022
Ace1

Sure,

image.png

1 person found this helpful
Hamza Al-abbasi

What is the problem with zoom out ?

Ace1

Hamza,
Problem with a zoom out occurred with items but it was just a workaround. I'd like to have the IG with feature like I pasted above on the screenshot

Hamza Al-abbasi

IG Cookbook app have an example like that on my workspace :
Workspace: hamzasoft
Username/Password: demo/demo0000
Application 138659 - Page 5

Ace1

It's not a solution, I need to dynamically sum a column inside the IG, not as an item in another region.

Hamza Al-abbasi

This is not a built-in feature, it needs more JS, in this case it will work if your IG pagination is scroll with aggregate. I have an example on my workspace :
Workspace: hamzasoft
Username/Password: demo/demo0000
Application 62472 - Page 17

2 people found this helpful
Ace1

Hamza, thanks a lot! This is exactly what I needed

John Snyders-Oracle

For newer APEX releases take a look at
JSDoc: Interface: model (0 Bytes)properties aggregates.
For example EMP table SAL column add to JS init code:

function(options) {
    options.defaultGridColumnOptions = {
        aggregates: ["SUM"]
    };
    return options;
}

This is much less code than the old way!

4 people found this helpful
Ace1

@john-snyders-oracle thanks a lot! It's working great but I struggle with one thing, how to round values?
image.png

John Snyders-Oracle

I think all you need to do is give the column a format mask. I tried FML999G999G999G999G990D00. This is the declarative option Format Mask for a number column.
One other note for using aggregates option is that the IG must have a primary key defined.

Ace1

@john-snyders-oracle I tried with FML999G999G999G999G990D00 and it's still the same, I have a number column type and a primary key in my IG.

John Snyders-Oracle

Just give the column a format mask.

Mohamed Sameer

@hamza-alabbasi
Do you have a JS function to get a sum of multiple columns in IG

Hamza Al-abbasi

Hi md-sameer,
Please open a new thread and explain your issue.

User187849

hi ,
I have added the same logic in SUM column properties but I couldn't get the total value

function(options) {
    options.defaultGridColumnOptions = {
        aggregates: ["SUM"]
    };
    return options;
}
Robin Biju

Hi John Snyders-Oracle, can this value assign to any page item?
Thanks.

John Snyders-Oracle

@robin-biju When using model field option aggregates the aggregate value cannot be stored directly in an item. There are ways to data out of a model into an item but it can be trickier for aggregate rows. (Model method getAggregateRecord is not documented and not clear how useful it is.)
If you want to save the aggregate value to a page item you can use the method shown in the IG Cookbook page 5.

1 person found this helpful
1 - 18

Post Details

Added on Apr 25 2019
#other-security-apis-tools-and-issues
0 comments
2,881 views