Forum Stats

  • 3,824,942 Users
  • 2,260,442 Discussions


How to avoid Unsafe De-serialization on JMS ObjectMessage?


     We have some tool to check security of the software and it is flagging up when we are deserializing an java object message.

I have a solution in this link.



MessageObj newMsg = (MessageObj) ((ObjectMessage) msg).getObject();

msg is Message object from JMS

If possible, do not deserialize untrusted data without validating the contents of the object stream. In order to validate classes being deserialized, the look-ahead deserialization pattern should be used.

I tried implementing that but My MessageBean class is already implementing MessageDrivenBean, MessageListener and now I am adding extends ObjectInputStream to resolve the class to safely deserialize, overriding resolveClass() method.

But unknown error happened while installing/updating this ear file.



1. Is there any method other than getObject to get desired 'MessageObj' from JMS msg object?

2. Can we implement ObjectInputStream alongside with MessageDrivenBean, MessageListener ?