Class SerializationConfig


public final class SerializationConfig extends Object

Support for JEP 290 - deserialization filtering. Configuration options mentioned below will differ in Helidon 3.0.0, the following table lists the options:

Configuration Options
system property 2.x default 3.x default description
PROP_WRONG_CONFIG_ACTION warn - SerializationConfig.Action.WARN fail - SerializationConfig.Action.FAIL What to do if an existing global deserialization filter exists without a global reject-list.
PROP_NO_CONFIG_ACTION warn - SerializationConfig.Action.WARN configure - SerializationConfig.Action.CONFIGURE What to do if there is no global deserialization filter.
Last option (not used by default) is to ignore the problem and do nothing (can be used both with wrong config and no config above).

Deserialization filtering in Helidon

Helidon serialization filter is implemented to support allow-lists, automatically rejecting all classes. Helidon restrictions are only enforced on the global filter.

Custom pattern

To add patterns to the serial filter, use a system property "helidon.serialFilter.pattern". This pattern follows the rules as defined by JDK. Helidon will add reject all as the last pattern if it is not already defined by it.

As an alternative, a file PROPERTY_FILE can be created on the classpath with the following content, to configure filter for a specific library. Do not add a global reject to these patterns!: pattern=oracle.sql.converter.*

Deserialization tracing

A tracing filter can be configured using system property "helidon.serialFilter.trace" to log information messages for each deserialization request.

To discover class patterns needed, set "no config" and "wrong config" actions to warn or ignore, and configure basic tracing.

Options are:
  • none to disable tracing (this is the default)
  • basic to enable basic tracing (only traces requests for class deserialization)
  • full to enable full tracing (including sizes, depth etc.)
  • Method Details

    • builder

      public static SerializationConfig.Builder builder()
      Fluent API builder to configure options programmatically. To use defaults (or system properties), see configureRuntime().
      a new builder for SerializationConfig
      See Also:
    • configureRuntime

      public static void configureRuntime()
      Make sure configuration is as expected. This is a one-off call to set up global filter.
    • configure

      public void configure()
      Configure deserialization filtering in the current VM. Note that the global filter can be configured only once, so make sure this method is invoked as soon as possible. This class keeps static information about the initial configuration, so as long as the configuration is unchanged, this method may be called multiple times.
      IllegalStateException - in case this method is called multiple times with different configuration.