JEP-290
Overview
JEP-290 brought support for deserialization filters to Java programming language. Such filtering allows us to control which classes may be deserialized using Java serialization.
Deserialization setup
Helidon default settings forbids any deserialization except for patterns defined
in a pattern property of any META-INF/helidon/serial-config.properties on
classpath. The patterns are semicolon delimited strings, such as
io.myapp.**;java.util.HashMap (any subpackage of io.myapp and class
java.util.HashMap). Helidon will always add a deny-all filter pattern to
the end of the pattern string (to make sure we exclude any unspecified class -
we only operate on whitelists)
These defaults can be modified either through system properties, or programmatically.
System property configuration
The following system properties can be used to control deserialization in Helidon:
| property | default value | description |
|---|---|---|
helidon. | !* | Filter pattern to use, deny all is always added |
helidon. | false | Whether to ignore files META-INF/ in libraries on the classpath |
helidon. | FAIL | Action to do when the configuration of global filter exists and is not consistent with our security expectations (e.g. contains a pattern to include all).
Options:
|
helidon. | CONFIGURE | Action to do when there is no global configuration.
Options:
|
helidon. | NONE | Tracing configuration for deserialization. Controls what information (if any) will be logged to a logger io. in INFO log level.
Options:
|
Programmatic configuration
Custom SerializationConfig may be registered, but it must be done before
Helidon server is started.
Configure custom Helidon serialization config: