Object deserialisation retrieves the wrong class instance
---------------------------------------------------------
Key: JBESB-1130
URL:
http://jira.jboss.com/jira/browse/JBESB-1130
Project: JBoss ESB
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Rosetta
Affects Versions: 4.2.1 IR1
Reporter: Kevin Conner
Assigned To: Kevin Conner
Priority: Critical
Fix For: 4.2.1 IR2
The object deserialisation used within the codebase is not safe within an EE environment.
The standard ObjectInputStream ignores the thread context classloader when loading
classes, associating any loaded class with the first classloader discovered while checking
up the current stack. In our case this will usually be the classloader associated with
the jbossesb.sar.
The outcome of this is that the class retrieved from the incorrect classloader may
represent a stale class and will result in runtime errors such as the one below.
java.lang.ClassCastException: org.jboss.soa.esb.dvdstore.OrderHeader
at
org.jboss.soa.esb.samples.quickstart.businessrules.ReviewMessage.process(ReviewMessage.java:41)
at
org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.process(ActionProcessingPipeline.java:266)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira