Forum Stats

  • 3,769,583 Users
  • 2,252,984 Discussions
  • 7,875,103 Comments

Discussions

How to avoid Unsafe De-serialization on JMS ObjectMessage?

Hi,

     We have some tool to check security of the software and it is flagging up when we are deserializing an java object message.

I have a solution in this link. https://adityagollapudi.wordpress.com/2016/05/22/unsafe-java-deserialization/

Error:

---------

MessageObj newMsg = (MessageObj) ((ObjectMessage) msg).getObject();

msg is Message object from JMS

If possible, do not deserialize untrusted data without validating the contents of the object stream. In order to validate classes being deserialized, the look-ahead deserialization pattern should be used.

I tried implementing that but My MessageBean class is already implementing MessageDrivenBean, MessageListener and now I am adding extends ObjectInputStream to resolve the class to safely deserialize, overriding resolveClass() method.

But unknown error happened while installing/updating this ear file.

Question

------------

1. Is there any method other than getObject to get desired 'MessageObj' from JMS msg object?

2. Can we implement ObjectInputStream alongside with MessageDrivenBean, MessageListener ?