java.lang.UnsupportedOperationException: Deserialization not allowed for class [Ljava.lang.Object; - Adobe Experience Manager(AEM)
We were receiving the following exception while deserializing the objects in AEMjava.lang.UnsupportedOperationException: Deserialization not allowed for class com.test.Test; (on Wed Sep 12 16:32:50 CDT 2018)
at org.kantega.notsoserial.DefaultNotSoSerial.preventDeserialization(DefaultNotSoSerial.java:256)
at org.kantega.notsoserial.DefaultNotSoSerial.onBeforeResolveClass(DefaultNotSoSerial.java:248)
at org.kantega.notsoserial.ObjectInputStreamClassVisitor.onBeforeResolveClass(ObjectInputStreamClassVisitor.java:48)
at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1819)
at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1713)
at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1874)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1529)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2231)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2155)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2013)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2231)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2155)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2013)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422)
The issue is due to the class name was not white listed in "Deserialization Firewall Configuration",Deserialization Firewall help as to mitigation the deserialization attacks in Java
It gives you complete control over which classes your application should be allowed to deserialize.
The error got changed to the below one after white listing the custom package name in "Deserialization Firewall Configuration".
java.lang.UnsupportedOperationException: Deserialization not allowed for class [Ljava.lang.Object; (on Wed Sep 12 16:32:50 CDT 2018)
at org.kantega.notsoserial.DefaultNotSoSerial.preventDeserialization(DefaultNotSoSerial.java:256)
at org.kantega.notsoserial.DefaultNotSoSerial.onBeforeResolveClass(DefaultNotSoSerial.java:248)
at org.kantega.notsoserial.ObjectInputStreamClassVisitor.onBeforeResolveClass(ObjectInputStreamClassVisitor.java:48)
at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1819)
at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1713)
at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1874)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1529)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2231)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2155)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2013)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2231)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2155)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2013)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422)
The class name "[Ljava.lang.Object" should be white listed as the deserialization type is array of custom objects, the "Deserialization Firewall Configuration" already enabled with default value "[" so that all the arrray type should be white listed.
In our case unfortunately the default "[" value was removed from the configuration and due to that the serialization for array types are rejected. The issue got resolved after adding the default value "["
Please make sure the default value "[" is not removed from white list to support array type.
This is for my reference but i am happy if this help someone.
No comments:
Post a Comment