[jboss-jira] [JBoss JIRA] (WFLY-13296) Allow distributable deployments to leverage ProtoStream to marshal distributable objects

Allow distributable deployments to leverage ProtoStream to marshal distributable objects ---------------------------------------------------------------------------------------- Key: WFLY-13296 URL: https://issues.redhat.com/browse/WFLY-13296 Project: WildFly Issue Type: Feature Request Components: Clustering Affects Versions: 19.0.0.Final Reporter: Paul Ferraro Assignee: Paul Ferraro Priority: Major EAP currently uses JBoss Marshalling to serialize user objects (e.g. HttpSession attributes, SFSB instances, JPA entity keys, CommandDispatcher commands, etc.). JBoss Marshalling is convenient, as it follows roughly the same usage semantics as Java Serialization. Consequently, it suffers from the same security concerns as Java Serialization, specifically: https://cwe.mitre.org/data/definitions/502.html https://docs.oracle.com/javase/6/docs/platform/serialization/spec/securit... ProtoStream (https://github.com/infinispan/protostream), which is now the default marshalling framework used by Infinispan since RHDG 8, offers an alternative to JBoss Marshalling, with some attractive advantages: * Invulnerable to arbitrary code execution during unmarshalling * Reduced memory footprint during marshalling/unmarshalling * Marginally smaller replication/persistence payload sizes (in general) This RFE seeks to allow users to use ProtoStream for marshalling of distributable objects. This will require: * The org.infinispan.protostream module to be public and exported to user deployments * Instructions for developers on how to generate protobuf schemas for their distributable objects * A mechanism for determining the user's intention to use ProtoStream instead of JBoss Marshalling.