Background info: WebLogic 10.3.6 running under Java 1.7.0_211 on Solaris
We are seeing rejections from the Object Input Filter in our server log. For example:
INFO: ObjectInputFilter REJECTED: class java.rmi.server.RemoteObjectInvocationHandler, array length: -1, nRefs: 7, depth: 2, bytes: 230, ex: n/a
My questions are fairly basic: Both the jdk.serialFilter and the sun.rmi.registry.registryFilter properties are NOT set via the command line nor in the java.security file (commented out). So why is any filtering occurring at all? I've been down the rabbit hole of the JDK source for java.io.ObjectInputStream and a decompiled sun.misc.ObjectInputFilter. I cannot see where any filtering should be occurring if the filter property is not set. Is there a default being set somewhere? I've attempted to open up the filtering by setting jdk.serialFilter=* in the java.security file, but that just caused the server to fail start up due to a reject on a "null" class:
INFO: ObjectInputFilter REJECTED: null, array length: -1, nRefs: 501, depth: 13, bytes: 7948, ex: n/a
Any insight would be appreciated.