Skip to Main Content

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

How to avoid Unsafe De-serialization on JMS ObjectMessage?

1ff197f9-c84c-43c1-8850-a02f899187f5Apr 25 2019 — edited Apr 25 2019

Hi,

     We have some tool to check security of the software and it is flagging up when we are deserializing an java object message.

I have a solution in this link. https://adityagollapudi.wordpress.com/2016/05/22/unsafe-java-deserialization/

Error:

---------

MessageObj newMsg = (MessageObj) ((ObjectMessage) msg).getObject();

msg is Message object from JMS

If possible, do not deserialize untrusted data without validating the contents of the object stream. In order to validate classes being deserialized, the look-ahead deserialization pattern should be used.

I tried implementing that but My MessageBean class is already implementing MessageDrivenBean, MessageListener and now I am adding extends ObjectInputStream to resolve the class to safely deserialize, overriding resolveClass() method.

But unknown error happened while installing/updating this ear file.

Question

------------

1. Is there any method other than getObject to get desired 'MessageObj' from JMS msg object?

2. Can we implement ObjectInputStream alongside with MessageDrivenBean, MessageListener ?

Comments

2827010
Each portlet you create in JDev 11.1.1.6 is WSRP 2.0 enabled by default.
The portlet.xml is according to the portlet 2.0 standards which enabled IPC.

JDev does not has a wizard to let you add IPC parameters. You just need to add parameters to the portlet.xml.

You can read this: http://yonaweb.be/inter_portlet_communication_jsr_286_and_webcenter_11g_ps3
1 - 1

Post Details

Added on Apr 25 2019
0 comments
2,883 views