[esb-issues] [JBoss JIRA] Created: (JBESB-1130) Object deserialisation retrieves the wrong class instance

Object deserialisation retrieves the wrong class instance --------------------------------------------------------- Key: JBESB-1130 URL: http://jira.jboss.com/jira/browse/JBESB-1130 Project: JBoss ESB Issue Type: Bug Security Level: Public (Everyone can see) Components: Rosetta Affects Versions: 4.2.1 IR1 Reporter: Kevin Conner Assigned To: Kevin Conner Priority: Critical Fix For: 4.2.1 IR2 The object deserialisation used within the codebase is not safe within an EE environment. The standard ObjectInputStream ignores the thread context classloader when loading classes, associating any loaded class with the first classloader discovered while checking up the current stack. In our case this will usually be the classloader associated with the jbossesb.sar. The outcome of this is that the class retrieved from the incorrect classloader may represent a stale class and will result in runtime errors such as the one below. java.lang.ClassCastException: org.jboss.soa.esb.dvdstore.OrderHeader at org.jboss.soa.esb.samples.quickstart.businessrules.ReviewMessage.process(ReviewMessage.java:41) at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.process(ActionProcessingPipeline.java:266) -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira