0 Replies Latest reply on Apr 25, 2019 7:19 AM by 1ff197f9-c84c-43c1-8850-a02f899187f5

    How to avoid Unsafe De-serialization on JMS ObjectMessage?



           We have some tool to check security of the software and it is flagging up when we are deserializing an java object message.

      I have a solution in this link. https://adityagollapudi.wordpress.com/2016/05/22/unsafe-java-deserialization/




      MessageObj newMsg = (MessageObj) ((ObjectMessage) msg).getObject();

      msg is Message object from JMS

      If possible, do not deserialize untrusted data without validating the contents of the object stream. In order to validate classes being deserialized, the look-ahead deserialization pattern should be used.



      I tried implementing that but My MessageBean class is already implementing MessageDrivenBean, MessageListener and now I am adding extends ObjectInputStream to resolve the class to safely deserialize, overriding resolveClass() method.


      But unknown error happened while installing/updating this ear file.




      1. Is there any method other than getObject to get desired 'MessageObj' from JMS msg object?


      2. Can we implement ObjectInputStream alongside with MessageDrivenBean, MessageListener ?