0 Replies Latest reply on Apr 25, 2019 7:19 AM by 1ff197f9-c84c-43c1-8850-a02f899187f5

    How to avoid Unsafe De-serialization on JMS ObjectMessage?

    1ff197f9-c84c-43c1-8850-a02f899187f5

      Hi,

           We have some tool to check security of the software and it is flagging up when we are deserializing an java object message.

      I have a solution in this link. https://adityagollapudi.wordpress.com/2016/05/22/unsafe-java-deserialization/

       

      Error:

      ---------

      MessageObj newMsg = (MessageObj) ((ObjectMessage) msg).getObject();

      msg is Message object from JMS

      If possible, do not deserialize untrusted data without validating the contents of the object stream. In order to validate classes being deserialized, the look-ahead deserialization pattern should be used.

       

       

      I tried implementing that but My MessageBean class is already implementing MessageDrivenBean, MessageListener and now I am adding extends ObjectInputStream to resolve the class to safely deserialize, overriding resolveClass() method.

       

      But unknown error happened while installing/updating this ear file.

       

      Question

      ------------

      1. Is there any method other than getObject to get desired 'MessageObj' from JMS msg object?

       

      2. Can we implement ObjectInputStream alongside with MessageDrivenBean, MessageListener ?