Wednesday, September 12, 2018

java.lang.UnsupportedOperationException: Deserialization not allowed for class [Ljava.lang.Object; - Adobe Experience Manager(AEM)

java.lang.UnsupportedOperationException: Deserialization not allowed for class [Ljava.lang.Object; - Adobe Experience Manager(AEM)

We were receiving the following exception while deserializing the objects in AEM

java.lang.UnsupportedOperationException: Deserialization not allowed for class com.test.Test; (on Wed Sep 12 16:32:50 CDT 2018)
        at org.kantega.notsoserial.DefaultNotSoSerial.preventDeserialization(DefaultNotSoSerial.java:256)
        at org.kantega.notsoserial.DefaultNotSoSerial.onBeforeResolveClass(DefaultNotSoSerial.java:248)
        at org.kantega.notsoserial.ObjectInputStreamClassVisitor.onBeforeResolveClass(ObjectInputStreamClassVisitor.java:48)
        at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1819)
        at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1713)
        at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1874)
        at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1529)
        at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2231)
        at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2155)
        at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2013)
        at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535)
        at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2231)
        at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2155)
        at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2013)
        at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535)
        at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422)

The issue is due to the class name was not white listed in "Deserialization Firewall Configuration",Deserialization Firewall  help as to mitigation the deserialization attacks in Java
It gives you complete control over which classes your application should be allowed to deserialize.

deserialization_firewall_aem
The error got changed to the below one after white listing the custom package name in "Deserialization Firewall Configuration".

java.lang.UnsupportedOperationException: Deserialization not allowed for class [Ljava.lang.Object; (on Wed Sep 12 16:32:50 CDT 2018)
        at org.kantega.notsoserial.DefaultNotSoSerial.preventDeserialization(DefaultNotSoSerial.java:256)
        at org.kantega.notsoserial.DefaultNotSoSerial.onBeforeResolveClass(DefaultNotSoSerial.java:248)
        at org.kantega.notsoserial.ObjectInputStreamClassVisitor.onBeforeResolveClass(ObjectInputStreamClassVisitor.java:48)
        at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1819)
        at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1713)
        at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1874)
        at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1529)
        at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2231)
        at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2155)
        at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2013)
        at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535)
        at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2231)
        at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2155)
        at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2013)
        at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1535)
        at java.io.ObjectInputStream.readObject(ObjectInputStream.java:422)

The class name "[Ljava.lang.Object" should be white listed as the deserialization type is array of custom objects, the "Deserialization Firewall Configuration" already enabled with default value "[" so that all the arrray type should be white listed.

In our case unfortunately the default "[" value was removed from the configuration and due to that the serialization for array types are rejected. The issue got resolved after adding the default value "["

Please make sure the default value "["  is not removed from white list to support array type.

deserialization_firewall_aem

This is for my reference but i am happy if this help someone.
Posted by at No comments:
Labels:

Thursday, September 6, 2018

Adobe Experience Manager(AEM) On-Premises to Adobe Managed Service(AMS) Cloud Migration

Adobe Experience Manager(AEM) On-Premises to Adobe Managed Service(AMS) Cloud Migration


This post explains the different things that should be considered while migrating On-Premises Adobe Experience Manager(AEM) platform to the AWS cloud managed through AMS.

AMS cloud migration provides lot of benefits -

  • Extend the server capacity based on the demand
  • Quick spinning up of new servers
  • Less management and initial setup cost
  • Better security and monitoring of platform
  • Streamlined process
  • Higher availability

We have to consider this option based on the how much control we require on the production environment - AMS environments will be restricted for client access.

AMS_deployment_model

Below are some of the important items need attention while migrating the On-Premises AEM platform to AMS Cloud.

Deployment options:


 There is different deployment options available based on the SLA

AMS_deployment_by_SLA

Read more »
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)