1 Reply Latest reply on Apr 17, 2019 9:01 PM by G R McHugh-Oracle

    Serialization Filter in Java 1.7.0_211?

    BigBrew

      Hello,

      Background info:  WebLogic 10.3.6 running under Java 1.7.0_211 on Solaris

       

      We are seeing rejections from the Object Input Filter in our server log.  For example:

       

      java.io.ObjectInputStream filterCheck

      INFO: ObjectInputFilter REJECTED: class java.rmi.server.RemoteObjectInvocationHandler, array length: -1, nRefs: 7, depth: 2, bytes: 230, ex: n/a

       

      My questions are fairly basic:  Both the jdk.serialFilter and the sun.rmi.registry.registryFilter properties are NOT set via the command line nor in the java.security file (commented out).  So why is any filtering occurring at all?  I've been down the rabbit hole of the JDK source for java.io.ObjectInputStream and a decompiled sun.misc.ObjectInputFilter.  I cannot see where any filtering should be occurring if the filter property is not set.  Is there a default being set somewhere?  I've attempted to open up the filtering by setting jdk.serialFilter=* in the java.security file, but that just caused the server to fail start up due to a reject on a "null" class:

       

      java.io.ObjectInputStream filterCheck

      INFO: ObjectInputFilter REJECTED: null, array length: -1, nRefs: 501, depth: 13, bytes: 7948, ex: n/a

       

      Any insight would be appreciated.

       

      Thanks,

      Bob