Wednesday, September 12, 2018

java.lang.UnsupportedOperationException: Deserialization not allowed for class [Ljava.lang.Object; - Adobe Experience Manager(AEM)

java.lang.UnsupportedOperationException: Deserialization not allowed for class [Ljava.lang.Object; - Adobe Experience Manager(AEM)

We were receiving the following exception while deserializing the objects in AEM

java.lang.UnsupportedOperationException: Deserialization not allowed for class com.test.Test; (on Wed Sep 12 16:32:50 CDT 2018)
        at org.kantega.notsoserial.DefaultNotSoSerial.preventDeserialization(DefaultNotSoSerial.java:256)
        at org.kantega.notsoserial.DefaultNotSoSerial.onBeforeResolveClass(DefaultNotSoSerial.java:248)
        at org.kantega.notsoserial.ObjectInputStreamClassVisitor.onBeforeResolveClass(ObjectInputStreamClassVisitor.java:48)
        at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1819)
        at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1713)
        at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1874)
        at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1529)
        at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2231)
        at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2155)
        at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2013)
        at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535)
        at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2231)
        at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2155)
        at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2013)
        at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535)
        at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422)

The issue is due to the class name was not white listed in "Deserialization Firewall Configuration",Deserialization Firewall  help as to mitigation the deserialization attacks in Java
It gives you complete control over which classes your application should be allowed to deserialize.

deserialization_firewall_aem
The error got changed to the below one after white listing the custom package name in "Deserialization Firewall Configuration".

java.lang.UnsupportedOperationException: Deserialization not allowed for class [Ljava.lang.Object; (on Wed Sep 12 16:32:50 CDT 2018)
        at org.kantega.notsoserial.DefaultNotSoSerial.preventDeserialization(DefaultNotSoSerial.java:256)
        at org.kantega.notsoserial.DefaultNotSoSerial.onBeforeResolveClass(DefaultNotSoSerial.java:248)
        at org.kantega.notsoserial.ObjectInputStreamClassVisitor.onBeforeResolveClass(ObjectInputStreamClassVisitor.java:48)
        at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1819)
        at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1713)
        at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1874)
        at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1529)
        at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2231)
        at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2155)
        at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2013)
        at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535)
        at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2231)
        at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2155)
        at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2013)
        at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535)
        at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422)

The class name "[Ljava.lang.Object" should be white listed as the deserialization type is array of custom objects, the "Deserialization Firewall Configuration" already enabled with default value "[" so that all the arrray type should be white listed.

In our case unfortunately the default "[" value was removed from the configuration and due to that the serialization for array types are rejected. The issue got resolved after adding the default value "["

Please make sure the default value "["  is not removed from white list to support array type.

deserialization_firewall_aem

This is for my reference but i am happy if this help someone.

No comments:

Post a Comment