We have some tool to check security of the software and it is flagging up when we are deserializing an java object message.
I have a solution in this link. https://adityagollapudi.wordpress.com/2016/05/22/unsafe-java-deserialization/
MessageObj newMsg = (MessageObj) ((ObjectMessage) msg).getObject();
msg is Message object from JMS
If possible, do not deserialize untrusted data without validating the contents of the object stream. In order to validate classes being deserialized, the look-ahead deserialization pattern should be used.
I tried implementing that but My MessageBean class is already implementing MessageDrivenBean, MessageListener and now I am adding extends ObjectInputStream to resolve the class to safely deserialize, overriding resolveClass() method.
But unknown error happened while installing/updating this ear file.
1. Is there any method other than getObject to get desired 'MessageObj' from JMS msg object?
2. Can we implement ObjectInputStream alongside with MessageDrivenBean, MessageListener ?